Wireshark analyzes sql Boolean blind injection traffic packet

---

0x001 topic

0x002 View injection statement

Importing the traffic packet Wireshark

looks messy. Enter urlthe protocol used by the browser request http, so we directly filter out the httpprotocol data packets.

Filter out the httprequested data packet. The

injection statement is as follows:

http://localhost:81/?id=1' and ascii(substring((select keyid from flag limit 0,1),1,1))=32#

This shows that the attacker uses Boolean blind injection for SQL injection.

About Boolean blind note check: https://blog.csdn.net/weixin_44032232/article/details/109358571

0x003 Observe the response packet

Here we think that the data packets returned by the injection statement must be different for success and failure.

Observe the sqlinjected response packet.

Inject failure response content:

Inject successful response content:

From this we can think of whether it is possible to filter out the injected successful response packet first? ? ? So what rules should we use for filtering, or which characteristics of response packets should be used for filtering? ? ?

The filter conditions I think of:

• SUMMARY filtered response has 文章内容all the response packets
• Filter according to the length of the response packet

Length of response packet for failed injection: Length

of response packet for successful injection:

For the Wiresharksyntax is not very familiar with, not how to find content filtering syntax, so I am here for the length of the response packet filtering.

Wireshark http filtering rules:

http.host==magentonotes.com
http.host contains magentonotes.com
//过滤经过指定域名的http数据包，这里的host值不一定是请求中的域名

http.response.code==302
//过滤http响应状态码为302的数据包

http.response==1
//过滤所有的http响应包

http.request==1
//过滤所有的http请求，貌似也可以使用http.request

http.request.method==POST
//wireshark过滤所有请求方式为POST的http请求包，注意POST为大写

http.cookie contains guid
//过滤含有指定cookie的http数据包

http.request.uri==”/online/setpoint”
//过滤请求的uri，取值是域名后的部分

http.request.full_uri==” http://task.browser.360.cn/online/setpoint”
//过滤含域名的整个url则需要使用http.request.full_uri

http.server contains “nginx”
//过滤http头中server字段含有nginx字符的数据包

http.content_type == “text/html”
//过滤content_type是text/html的http响应、post包，即根据文件类型过滤http数据包

http.content_encoding == “gzip”
//过滤content_encoding是gzip的http包

http.transfer_encoding == “chunked”
//根据transfer_encoding过滤

http.content_length == 279
http.content_length_header == “279″
//根据content_length的数值过滤

http.server
//过滤所有含有http头中含有server字段的数据包

http.request.version == “HTTP/1.1″
//过滤HTTP/1.1版本的http包，包括请求和响应

http.response.phrase == “OK”
//过滤http响应中的phrase

content-LengthFilter by length. The filter syntax is http.content_length == 366

All successfully injected statements can also be viewed from the response packet.

http://localhost:81/?id=1' and ascii(substring((select keyid from flag limit 0,1),1,1))=102#

The meaning of this sql statement: the ASCII code of the first character is102

>>> print(chr(102))  # 将ASCII码转换为字符
>>> f

How can I check the ASCII value of the character when the injection is successful one by one.

0x004 script writing

Export

the filtered results above and use regular filtering to filter out the ASCII codes corresponding to the injected sentences and characters

import re

number = []
with open("aa.txt","r",encoding="utf-8") as f:
    for i in f.readlines():
        flag_number = re.findall(r"\[Request URI: .*?=(\d+)%23\]",i,re.S) # 字符对应的ASCII码
        url_list = re.findall(r"\[Request URI: (.*?)\]",i,re.S)  # 注入的url
        if flag_number:
            print(url_list)
            number.append(flag_number[0])

Here pay attention to the sequence of successful injection statements, that is, the places circled in the above figure are sorted in order (from the first character to 38 characters), which is the execution flow of successful injection.

Know the ASCII code corresponding to the character, and then get the corresponding character through the ASCII code.

Finally ran outflag

import re

number = []
with open("aa.txt","r",encoding="utf-8") as f:
    for i in f.readlines():
        flag_number = re.findall(r"\[Request URI: .*?=(\d+)%23\]",i,re.S)
        url_list = re.findall(r"\[Request URI: (.*?)\]",i,re.S)
        if flag_number:
            print(url_list)
            number.append(flag_number[0])

print(number)
flag = ''
for i in number:
    flag +=chr(int(i))
print(flag)