Brief introduction of the principle of time-based blind injection


Introduction to
Blind Time-based Blind Injection Blind injection means that during the SQL injection process, after the selection of the SQL statement execution, the selected data cannot be echoed to the front-end page. At this time, we need to use some methods to judge or try, this process is called blind injection.

The principle of
blind injection The essence of blind injection is to guess the solution . In the case of no echo data, we can only rely on "feel" to experience a little difference in each query, and this difference includes the difference in running time and page return The difference in results.
For Boolean-based blind injection, we can construct an injection statement to test the Boolean expression we input, and the true or false result of the Boolean expression determines that each page has a different reaction.
For the blind injection based on time, the statement we construct contains a function that can affect the running time of the system. Based on the time returned by each page, we can determine whether the injected statement was successfully executed.
Blind injection classification
• Blind SQL injection based on Boolean • Blind SQL injection
based on time
Blind SQL injection based on error reporting
process:

  1. Find and confirm sql blind injection point
  2. Force a generic error interface
  3. Inject queries with side effects
  4. According to the true and false results of the Boolean expression, combined with different return results to confirm whether the injection is successful

Time-based blind note:
Common functions:
If (exp, v1, v2) : If the expression expr holds, return the result v1; otherwise, return the result v2 Substring (s, n, len) : Get the first from the string s The n position starts with the length of the string
Sleep (duration) : run after the number of seconds given by the duration parameter

(Note) : The sleep function delays the specified time as long as there is a row that satisfies the condition, such as sleep (5), but actually finds two rows that meet the condition, then it will be delayed by 10s, which is actually a very Important information, in the real penetration test process, sometimes we do not know the situation of the entire table, we can use this way to probe, for example, set to sleep (0.001) to see the last number of seconds to have a result, infer the number of rows
Insert picture description here

Common syntax format:
Select * from table where id = 1 and if (Boolean expression, sleep (5), 1);

Injection idea:
The general idea based on time blind injection is delayed injection. To put it bluntly, use functions such as sleep () or benchmark () to make mysql execution time longer and combine with the conditional statement if (expr1, expr2, expr3), and then through the page The response time is to determine whether the value returned by the statement is TRUE or False, so as to guess some unknown fields.

Injection process (take the database version information as an example):

  1. Determine injection point and injection type
  2. Use if judgment statements, guess the length of version () and use the sleep function as the basis for judgment
  3. Repeat step 2 until the true length is obtained
  4. Use if to judge the statement, guess the ascii code of the first character of version () and use the sleep function as the judgment basis to construct the injection statement,
  5. Repeat step 4 until you get the ascii code for the full length version characters

Injection test:
first find the injection point, see id = 1, guess that there may be sql injection
Insert picture description here
Second determine the injection type, add a symbol after 1 to report an error, indicating that there is character injection.
Insert picture description here
Since there is no echo data, try time blind injection
Payload as follows:
Id = 1 'and sleep (2);
You can see that sleep executed successfully, and the return time is 2 seconds, indicating that sleep () is not filtered.
Insert picture description here
Try to obtain the database version information. First determine the length of the version information
Id = 1' and if (length (version ()) = 23, sleep (3), 1)-+
If the length is 23 characters, the return time is 3s. If not, return immediately.
Insert picture description here
Insert picture description here

After determining the length, search for the ascii code of each digit in turn.
For example: id = 1'and if (ascii (substring (version (), 1,1)) = 53, sleep (3), 1)-+
Try the first Is the one-digit ascii code 53 or 5 decimal?
Insert picture description here
Insert picture description here
Repeat the above steps to get all the version information
Insert picture description here

Bypass method:
When the sleep function and the benchmark function are shielded, we can use the following two methods to bypass the restriction strategy
. 1. Superimposed full arrangement The
so-called superimposed complete arrangement is to connect Cartesian products to multiple tables, so that the query time is exponential. Growth, that is to say, the attacker continuously stacks simple table queries, continuously increasing the load of the system to execute SQL statements, until the time delay the attacker wants is generated.

For example, the multi-table query result for the system table information_schema.columns is as follows. The
single-table query result is 3083, the elapsed time is 0.05s, the
Insert picture description here
two-table query result is 9504889, the elapsed time is 0.44,
Insert picture description here
and so on. If the injection time is too large, the injection time will be too long, and if it is too small, it will not be felt, so it is necessary to try many times.

2. get_lock () locking mechanism
Basic statement:
Select get_lock (key, timeout) from test;
Select release_lock (key) from test;
(1) GET_LOCK has two parameters, one is key, which means the field to be locked, and the other One is the waiting time (s) after the lock fails. After a client locks a field, another client will fail to lock the field, and then it will wait for the set time
(2) When RELEASE_LOCK is called to release the above lock or the client is disconnected, the above lock will be released and other clients can come in.

Test process:
first lock the name field, the return result is 1 and the time is 0 to prove that the lock is successfully
Insert picture description here
established another mysql connection, the same field is locked, the return result is 0 and the time is a custom 5, proof Lock failed
Insert picture description here

Use the above basic theory and the principle of time blind injection to realize the use of get_lock () to construct a time blind injection statement

  1. First, lock the field by injection
    Select * from xxx where id = 1 and get_lock ('column_name', 1);
    Insert picture description here
  2. 然后构造盲注语句
    Select * from xxx where id = 1 and 1 and get_lock(‘column_name’,5);
    Select * from xxx where id = 1 and 0 and get_lock(‘column_name’,5);
    Insert picture description here

It is worth noting that this bypass method has a limitation, that is, the connection of the database must be a persistent connection, and what we use is also the blocking effect of the previous connection on the latter connection, resulting in delays. Therefore, only those websites that use the mysql_pconnect () method to connect to the database in PHP are possible to use this method.

The advantages and disadvantages
of time blind injection: The biggest advantage of using time blind injection is that it has little effect on the log, especially compared with error-based attacks. However, in the case where a large number of queries or CPU-intensive functions (such as MySQL's BENCHMARK ()) must be used, the system administrator may be aware of what is happening.
Another thing to consider is the delay time you inject. This is especially important when testing web applications. Because the server load and network speed may have a huge impact on response time. You need to pause the query long enough to ensure that these uncertainties will not interfere with your test results. On the other hand, you will want the delay to be short enough to test the application in a reasonable time, so it is difficult to grasp the length of this time.

Published 21 original articles · won 14 · visited 4075

Guess you like

Origin blog.csdn.net/m0_38103658/article/details/100160609