SQL error injection has been used badly like this kind of vulnerabilities, look for the vulnerability discovery tool in batches, and sqlmap ran.
Today we are talking about what should we do when our command is brought into the database query but nothing is returned. For example, the application will return a "generic" page, or redirect a generic page (perhaps the home page of the website). At this time, the SQL injection method we learned before cannot be used.
Blind injection, that is, in the process of SQL injection, after the SQL statement is selected, the selected data cannot be echoed to the front end. We need to use some special methods to judge or try. This process is called blind injection
Blind SQL injections are divided into three categories:
1. Blind injection based on Boolean SQL
2. Blind injection based on time-based SQL
3. Blind SQL injection based on error reporting
There are three functions that have been used throughout the process
1.mid() function
mid(striing,start,length)
start (required) specifies the starting position (starting value is 1).
length (optional) the number of characters to return. If omitted, the mid() function returns the remaining text.
2.substr() function
substr(string,start,length)
string (required) specifies a part of the string to be returned.
start (required) specifies where to start in the string.
length (optional) specifies the length of the string to be returned.
3.left() function
left(string,length)
No matter how you explain it, it’s better to just play
string (required) specifies that a part of the string is to be returned
length (optional) specifies the characters of the first length length of the returned string
Let’s talk about how to do Boolean-based blinds.
Blind injection based on Boolean SQL means that during SQL injection, the application only returns True (page) and False (page).
At this time, we cannot get the database information we need based on the return page of the application. But we can get the information we need by constructing logical judgment (comparing the size).
It returns to normal at this time, and does not return a 404 page, which proves that the length of the library is 8 bytes
This uses left() to determine what is the first name of the library name; this is if the page returns to normal, it means that the first letter should be less than t
This is if the page returns to normal, indicating that the first letter should be greater than r, then the first character is s, and this method is used to judge in turn.
So let's judge what the second place of the library is (ascii judgment is used here)
Finally found that the current library name is "security"
Let’s guess the name of the table. The first character ascii of the first table of the first library is greater than 113.
ascii<115, these two pages return to normal instructions, the first character of the table is'r'
After searching, the table is named referer.
Guess the first letter of the third field
Therefore, the first character of the third field of the current data table is'i'; by analogy, the fourth field of the current data table is'id'
Guess the first character of the first data item in the third field:
Therefore, the first character of the first data item of the current field is'D'
Guess the second one
Therefore, the first character of the first data item of the current field is'u'
By analogy, the first data item of the current field is'Dumb
In the same way, the first data item of the'password' field can be deduced as'Dumb'
On the basis of Boolean blinds, the next time-based injection
After we injected the SQL code, there are two situations:
- If the injected SQL code does not affect the normal function execution of the background [database], then the web application page is displayed correctly (original page).
- If the injected SQL code affects the normal function of the back-end database (SQL injection occurs), but the page of the web application still displays normally at this time (the reason is that the web application takes "redirect" or "blocking" measures).
At this time, we will have a question: Has the SQL code we injected is executed by the back-end database? That is, does SQL injection exist in web applications?
Faced with this situation, the previously mentioned Boolean-based blind SQL injection is difficult to play (because the premise of the Boolean-based blind SQL injection is that the page returned by the Web program has two different pages, true and false). At this time, we generally judge whether there is SQL injection based on the difference in web application response time, that is, blind SQL injection based on time.
if statement/if() function
In blind time-based SQL injection, we often use conditional statements to determine whether our operations are correct:
<code class="hljs bash has-numbering"><span class="hljs-keyword">if</span> condition <span class="hljs-keyword">then</span> <span class="hljs-keyword">do</span>_something <span class="hljs-keyword">else</span> <span class="hljs-keyword">do</span>_something_<span class="hljs-keyword">else</span>11</code>That is, if a certain condition occurs, then execute statement one; otherwise, execute statement two
In MySQL , the if() function syntax is as follows:
<code class="hljs ruleslanguage has-numbering"><span class="hljs-keyword">IF</span>(expr1,expr2,expr3)</code>
If expr1 is true, the IF() function executes the expr2 statement; otherwise, the IF() function executes the expr3 statement.
sleep() function
In mysql, the sleep() function syntax is as follows:
<code class="hljs erlang has-numbering"><span class="hljs-function"><span class="hljs-title">sleep</span><span class="hljs-params">(seconds)</span></span></code>
That is, the execution of the sleep() function code is delayed for several seconds.
BENCHMARK() function
In mysql, the BENCHMARK() function syntax is as follows:
<code class="hljs axapta has-numbering">BENCHMARK(<span class="hljs-keyword">count</span>,expr) </code>That is, the BENCHMARK() function repeatedly executes the expression expr count times.
Under normal circumstances, we do not recommend using the BENCHMARK() function because it consumes a lot of CPU resources.
Next, learn about time-based blind SQL injection.
We use IF (query statement, 1, sleep(5)) here, that is, if our query statement is true, then return the result directly; if our query statement is false, then return to the page after 5 seconds. So we judge whether our query statement is executed correctly based on the length of time to return to the page, that is, our starting point is back to the previous Boolean-based blind SQL injection, that is, constructing the query statement to determine whether the result is true.
Step one enumerates the current database name
database() can display the current database, and then enumerate the specific characters of the current database by comparing the ascii code of the current database (it is recommended to use the dichotomy to enumerate one by one).
Finally, we get the current database as "security".
Step two enumerate the table name of the current database
Here we only show the method of enumerating the first character of the first table in the current database, as shown in the figure:
It can be seen that when we compare the first character of the table with 102, the browser will display it after 5 seconds (ignore the content below), that is, the first character of the table is greater than 102, which is false. Then we compare the first character of the table with 100, and the browser displays it directly, that is, the first character of the table is greater than 100. In this way, all characters of the table can be obtained.
Finally, we get the first table named "emails" in the current database.
Step three enumerate the field names of the current data table
Here, we fully display the first field name of the enumerated current data table. as the picture shows:
Many people will wonder, how do we judge that each character we get is a complete field name? Because we don't know the length of the field.
This is very simple, that is, when we are enumerating field names, if we directly compare with 1 (that is, if the ascii code of the current character is greater than 1), if this shows an error, then in general, we can think that we have got The complete field name is now. as the picture shows:
Step 4: Enumerate the contents of the data items corresponding to each field
At this step, I encountered the following problems, as follows:
Finally, thank Xiong Junkun for his blog.